“Two xref tables and two %%EOF“? This alone is not an indication of a malicious PDF file. There can by two or even more instances of each, if the file was generated via the “incremental update” feature. (Each digitally signed PDF file is like that, and each file which was changed in Acrobat and saved … Read more
This vulnerability was definitely a heap overflow. How can writing 0XFFFFFFFE bytes (4 GB!!!!) possibly not crash the program? It probably will, but on some occasions you got time to exploit before the crash happens (sometimes, you can get the program back to its normal execution and avoid the crash). When the memcpy() starts, the … Read more
Notice the replace call after the giant messy string: .replace(/#|\$|@|\^|&|\(|\)|\!/ig, ”). It removes most of the special characters, turning it into a normal URL: evil://dyndns-org.gamestop.com.mybestyouxi-cn.genuinehollywood.ru:8080/softonic.com/softonic.com/google.com/livejasmin.com/videosz.com/ (I manually changed http: to evil:) Note that the regex could have been simplified to .replace(/[#$@^&()!]/ig, ”) If you look at the script, you’ll see that it’s a very simple … Read more