On 28/07/11 14:40, David Stroud wrote: > Hey there, > > After chatting with jemarch in the irc channel, I was advised to submit a > bug report of this issue I've been having. > > I'm trying to compress JavaScript inside PDFs for use in avoiding AVs in > client side attacks. To begin with I was just encoding this single line in > pdf-filter: > > app.alert({cMsg: 'Hello there', cTitle: 'Testing PDF JavaScript', nIcon: > 3}); > > and it worked fine with lzw encoding, rle, ahex and flate (singularly or > stacked together). > > After that, I moved on to the actual exploit itself, which is the > collectemailinfo heap spray. Here is the code with a payload that spawns > calculator: > > [...] >
I cannot reproduce your bug. Copied the payload that you placed here test-lzw then: $ ./pdf-filter --lzwenc < test-lzw > test-lzw.enc $ ./pdf-filter --lzwdec < test-lzw.enc > test-lzw.dec $ diff test-lzw test-lzw.dec Can you provide further information? How exactly does the filter not work, what steps are you taking to encode and decode? Thanks, JP PS: I do not believe the trailing 0 is the source of the problem, and indeed that 0 must be harmless -- appart from wasting 1 byte.