Advertisement
Guest User

Uncover Adobe Reader X sandbox exceptions

a guest
Jan 6th, 2013
157
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ''' From http://blog.binamuse.com/ '''
  2. from winappdbg import Debug, Process, version
  3. import sys, hashlib, struct
  4.  
  5. def print_policy(event):
  6.     #get process, thread and stak pointer
  7.     process = event.get_process()
  8.     thread = event.get_thread()
  9.     stack = thread.get_sp()
  10.  
  11.     #read the 3 arguments from the debugee memory
  12.     subsystem = process.read_pointer(stack+0x4)
  13.     semantic = process.read_pointer(stack+0x8)
  14.     value_p = process.read_pointer(stack+0xC)
  15.     value = process.read(value_p, 2)
  16.     while value[-2:] != '\x00\x00':
  17.         value += process.read(value_p+len(value),2)
  18.     value = value.decode('utf-16')
  19.  
  20.     print "Rule: %d, %d, %s"%(subsystem,semantic,value)
  21.  
  22. if __name__ == '__main__':
  23.     print "Wellcome. Using Winappdbg version", version
  24.     #Instantiate the debugger
  25.     debug = Debug(bKillOnExit=True, bHostileCode=True)
  26.  
  27.     path = r"C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe"
  28.     version = '11.0.0'
  29.  
  30.     print "Adobe Reader X %s"%version
  31.  
  32.     #Run the reader!
  33.     debug.execl(path)
  34.  
  35.     # Loop while is alive
  36.     while debug:
  37.         # Get the next debug event.
  38.         event = debug.wait()
  39.  
  40.         # Dispatch the event and continue execution.
  41.         try:
  42.             debug.dispatch(event)
  43.             # add breakpoint when acrord32 gets loaded
  44.             if event.get_event_code() == 3:
  45.                 process = event.get_process()
  46.                 base_address = event.get_image_base()
  47.                 print "AcroRd32 Main module found at %08x"%base_address
  48.  
  49.                 # Hint: Use the string "Check failed: policy_." to hunt
  50.                 # the function that adds a new policy
  51.                 breakpoint_address = base_address + 0x20370
  52.  
  53.                 #setting breakpoint
  54.                 print "Setting breakpoint at %08x"%breakpoint_address
  55.                 debug.break_at(process.get_pid(), breakpoint_address, print_policy)
  56.  
  57.         except Exception,e:
  58.             print "Exception in user code:",e
  59.         finally:
  60.             debug.cont(event)
  61.  
  62.     # Stop the debugger.
  63.     debug.stop()
Advertisement
RAW Paste Data Copied
Advertisement