Friday, March 12, 2010

Mar.12 CVE-2010-0188 Adobe PDF LibTiff Integer Overflow Code Execution Exploit Code by Villy

Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat Reader

Author: villy (villys777 at

 CVE: 2010-0188
Tested : successfully tested on Adobe Reader 9.1/9.2/9.3.0 OS Windows XP(SP2,SP3),
also works with Adobe browser plug-in
Exploit works with Adobe javascript disabled.

Update March 18, 2010 
"This exploit worked flawlessly against Adobe Reader 9.3 despite DEP being enabled. (For those who didn't know, Adobe Reader 9 enables DEP "permanently".)
"What I found was that several function tails were being used to create a hunk memory of that was not protected by DEP. After this was created, a bit more ROP (return oriented proramming) was used to accomplish a "memcpy" of a small loader stub to this memory and execute it.

You might be asking yourself, "Great, but why do we care?" ... Well, AFAIK (feel free to comment), this is the first public exploit that uses multiple tail chunks to completely bypass permanent DEP. It certainly gives me a bit of chill to see this coming from a maliciously circulating document..."
-   More from

Update March 17, 2010
Client Sides and Adobe 9.3
A hacker by the nick of villy made a python script that will create a pdf that will launch calc.exe on a WinXP SP2 Box with the most up-to-date version of Adobe Reader installed even with Java turned off.
After playing with it we replaced the shellcode with a Windows Reverse Shell and then tried it on a fully patch system! BAM – Shell again.
We took the PDF file and uploaded it to Virus Total and an amazing 0/42 was returned and that is before we even used Shakata Ganai to encode it." - loganWHD
more from

Chris Hadnagy (aka loganWHD ) from posted results of the exploit testing plus a video documenting their adventures. 

No comments:

Post a Comment