API tools faq
paste
Advertisement
Guest User

Uncover Adobe Reader X sandbox exceptions

a guest
Jan 6th, 2013
183
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.07 KB | None | 0 0
raw download clone embed print report
  1. ''' From http://blog.binamuse.com/ '''
  2. from winappdbg import Debug, Process, version
  3. import sys, hashlib, struct
  4.  
  5. def print_policy(event):
  6.     #get process, thread and stak pointer
  7.     process = event.get_process()
  8.     thread = event.get_thread()
  9.     stack = thread.get_sp()
  10.  
  11.     #read the 3 arguments from the debugee memory
  12.     subsystem = process.read_pointer(stack+0x4)
  13.     semantic = process.read_pointer(stack+0x8)
  14.     value_p = process.read_pointer(stack+0xC)
  15.     value = process.read(value_p, 2)
  16.     while value[-2:] != '\x00\x00':
  17.         value += process.read(value_p+len(value),2)
  18.     value = value.decode('utf-16')
  19.  
  20.     print "Rule: %d, %d, %s"%(subsystem,semantic,value)
  21.  
  22. if __name__ == '__main__':
  23.     print "Wellcome. Using Winappdbg version", version
  24.     #Instantiate the debugger
  25.     debug = Debug(bKillOnExit=True, bHostileCode=True)
  26.  
  27.     path = r"C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe"
  28.     version = '11.0.0'
  29.  
  30.     print "Adobe Reader X %s"%version
  31.  
  32.     #Run the reader!
  33.     debug.execl(path)
  34.  
  35.     # Loop while is alive
  36.     while debug:
  37.         # Get the next debug event.
  38.         event = debug.wait()
  39.  
  40.         # Dispatch the event and continue execution.
  41.         try:
  42.             debug.dispatch(event)
  43.             # add breakpoint when acrord32 gets loaded
  44.             if event.get_event_code() == 3:
  45.                 process = event.get_process()
  46.                 base_address = event.get_image_base()
  47.                 print "AcroRd32 Main module found at %08x"%base_address
  48.  
  49.                 # Hint: Use the string "Check failed: policy_." to hunt
  50.                 # the function that adds a new policy
  51.                 breakpoint_address = base_address + 0x20370
  52.  
  53.                 #setting breakpoint
  54.                 print "Setting breakpoint at %08x"%breakpoint_address
  55.                 debug.break_at(process.get_pid(), breakpoint_address, print_policy)
  56.  
  57.         except Exception,e:
  58.             print "Exception in user code:",e
  59.         finally:
  60.             debug.cont(event)
  61.  
  62.     # Stop the debugger.
  63.     debug.stop()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!