On 28/07/11 14:40, David Stroud wrote:
> Hey there,
>
> After chatting with jemarch in the irc channel, I was advised to submit a
> bug report of this issue I've been having.
>
> I'm trying to compress JavaScript inside PDFs for use in avoiding AVs in
> client side attacks. To begin with I was just encoding this single line in
> pdf-filter:
>
> app.alert({cMsg: 'Hello there', cTitle: 'Testing PDF JavaScript', nIcon:
> 3});
>
> and it worked fine with lzw encoding, rle, ahex and flate (singularly or
> stacked together).
>
> After that, I moved on to the actual exploit itself, which is the
> collectemailinfo heap spray. Here is the code with a payload that spawns
> calculator:
>
> [...]
>
I cannot reproduce your bug. Copied the payload that you placed here
test-lzw then:
$ ./pdf-filter --lzwenc < test-lzw > test-lzw.enc
$ ./pdf-filter --lzwdec < test-lzw.enc > test-lzw.dec
$ diff test-lzw test-lzw.dec
Can you provide further information? How exactly does the filter not
work, what steps are you taking to encode and decode?
Thanks,
JP
PS: I do not believe the trailing 0 is the source of the problem, and
indeed that 0 must be harmless -- appart from wasting 1 byte.
