On 28/07/11 14:40, David Stroud wrote:
> Hey there,
> 
> After chatting with jemarch in the irc channel, I was advised to submit a
> bug report of this issue I've been having.
> 
> I'm trying to compress JavaScript inside PDFs for use in avoiding AVs in
> client side attacks. To begin with I was just encoding this single line in
> pdf-filter:
> 
> app.alert({cMsg: 'Hello there', cTitle: 'Testing PDF JavaScript', nIcon:
> 3});
> 
> and it worked fine with lzw encoding, rle, ahex and flate (singularly or
> stacked together).
> 
> After that, I moved on to the actual exploit itself, which is the
> collectemailinfo heap spray. Here is the code with a payload that spawns
> calculator:
> 
> [...]
>

I cannot reproduce your bug. Copied the payload that you placed here
test-lzw then:

  $ ./pdf-filter --lzwenc < test-lzw > test-lzw.enc
  $ ./pdf-filter --lzwdec < test-lzw.enc > test-lzw.dec
  $ diff test-lzw test-lzw.dec

Can you provide further information? How exactly does the filter not
work, what steps are you taking to encode and decode?

Thanks,

JP

PS: I do not believe the trailing 0 is the source of the problem, and
indeed that 0 must be harmless -- appart from wasting 1 byte.


Reply via email to