Prototype Pollution RCE in Adobe Acrobat and Reader

This repository is a standalone Python exploit generator, not tied to a major exploitation framework. It contains two identical Python scripts (`poc.py` and `cve_2026_34621_advanced/cve_2026_34621_advanced.py`) plus top-level and subdirectory README files. The main purpose is to generate a malicious PDF that embeds JavaScript intended to exploit CVE-2026-34621 in Adobe Acrobat/Reader via prototype pollution leading to sandbox escape and arbitrary command execution. Repository structure is simple: the root README gives a short description; the detailed README documents installation, CLI options, usage examples, affected versions, and attack flow; the Python script implements the generator. The code imports standard Python libraries plus optional `PyPDF2` for lure-PDF merging. Visible code sections show helper utilities for polymorphism/randomization, a multi-level JavaScript obfuscator, payload generation flow, PDF building, and report generation. The script accepts command-line options for output file, Windows/macOS commands, stage URL, persistence, obfuscation level, delay, hostname keying, lure PDF path, trigger type, and report suppression. Main exploit capabilities described by the code and documentation include: generating PDF-embedded JavaScript, OS auto-detection, Windows/macOS-specific execution paths, optional staged payload download from a remote URL, optional persistence installation, optional lure PDF merging, multiple trigger vectors (`openaction`, `pageopen`, `doclevel`), and HTML/TXT/JSON reporting. The exploit is operational rather than a mere PoC because it provides configurable payload delivery and persistence features, though it is still a standalone generator rather than a framework-integrated weaponized module. Fingerprintable observables are mostly example endpoints and execution artifacts from the README: staged payload URLs (`http://10.0.0.5/shell.ps1`, `http://192.168.1.100/payload.exe`, `http://10.0.0.5/mac_payload.sh`), reverse-shell endpoint `10.0.0.5:4444`, macOS application paths, `/bin/sh`, Windows execution components (`cmd.exe`, PowerShell, WScript.Shell), and persistence locations such as the Windows Run registry key and macOS LaunchAgents directory. Because the Python source was truncated in the provided content, some exact embedded strings from the payload generator cannot be fully verified from code alone, but the repository clearly implements an exploit generator rather than a detector or benign demo.

This repository is a small, self-contained research PoC for an Adobe Acrobat exploit chain centered on malicious PDF JavaScript execution and post-exploitation file theft. It contains 4 files: a Python PDF generator (CVE-2026-34621.py), a Python HTTP collection server (c2.py), the main Acrobat JavaScript payload (payload_steal.js), and documentation (ReadMe.md). The main exploit flow is: the operator embeds payload_steal.js into a PDF using CVE-2026-34621.py; the generated PDF sets /OpenAction to a JavaScript action so code runs when the document is opened; the JavaScript then abuses Acrobat-specific internal functions and trust mechanisms to obtain privileged execution; finally it reads a local Windows file and exfiltrates it over HTTP in chunks. CVE-2026-34621.py is not itself the vulnerability trigger beyond embedding arbitrary JavaScript into a PDF. It is a helper utility that reads an external JS file, escapes it for PDF syntax, and writes a minimal PDF object structure with /OpenAction pointing to a /JavaScript action. This makes it the delivery builder for the exploit document. payload_steal.js contains the actual exploit logic. It defines a privileged file-stealing routine using app.beginPriv(), util.readFileIntoStream(), and app.launchURL(). It hardcodes the victim file path /C/Windows/System32/drivers/etc/hosts and exfiltrates the resulting hex data to http://192.168.56.1:45191/exfil. The script also contains the exploit chain primitives described in the README: injection through ANFancyAlertImpl with a crafted button key, prototype pollution using Object.prototype.__defineGetter__('swConn', ...), trusted function registration via app.trustedFunction.bind, fake object methods for path processing, and invocation of ANShareFile/SilentDocCenterLogin to redirect privileged workflow execution. c2.py is a simple operational support component rather than the exploit itself. It listens on 0.0.0.0:45191, accepts GET requests to /exfil, reconstructs chunked hex data into binary, and saves recovered files under exfiltrated_files/. It prints progress and validates whether the recovered file begins with a PDF header. Overall, this is a real exploit PoC repository rather than a detector. It demonstrates a file-based attack vector against vulnerable Adobe Acrobat Reader environments, with a hardcoded but functional payload and a matching receiver, making it operational rather than a bare conceptual proof.

Repository contains a Python-based exploit generator rather than a simple detector. There are 4 files total: a top-level README, a subdirectory README, and two identical Python scripts (poc.py and cve_2026_34621_advanced/cve_2026_34621_advanced.py, both ~35 KB). The Python script is the main entry point and presents itself as an 'Advanced Cross-Platform Exploit Generator' for CVE-2026-34621 affecting Adobe Acrobat/Reader. The script structure, based on visible code and documentation, includes: utility helpers for randomization/polymorphism; a JavaScript obfuscator supporting multiple levels including string-to-charcode conversion, junk/dead-code insertion, and base64 wrapping; a payload generator that builds OS-aware JavaScript for Windows/macOS execution; a PDF generator that embeds the JavaScript into a PDF with selectable trigger vectors; optional lure PDF merging using PyPDF2; and a report generator that emits HTML/TXT/JSON artifacts describing the generated payload/configuration. Primary exploit capability is malicious PDF generation for file-based delivery. The generated PDF is intended to exploit Adobe JavaScript prototype pollution and claimed sandbox escape to reach privileged APIs and execute attacker-controlled system commands. The repository advertises Windows execution through cmd.exe, PowerShell, and WScript.Shell, and macOS execution through Terminal.app or osascript. It also supports optional staged payload retrieval from a remote URL, execution delay, hostname/environment keying, persistence installation, and obfuscation to hinder analysis. Fingerprintable observables are mostly examples in documentation rather than hardcoded C2: sample staging URLs (http://10.0.0.5/shell.ps1, http://192.168.1.100/payload.exe, http://10.0.0.5/mac_payload.sh), a reverse-shell callback endpoint (10.0.0.5:4444), example local file paths for Calculator.app and lure PDFs, and claimed persistence locations including the Windows Run registry key and macOS LaunchAgents directory. No evidence in the provided excerpt suggests a fixed attacker-controlled infrastructure embedded in the code itself; payload endpoints appear operator-supplied via CLI options such as --stage. Overall, this is an operational exploit builder with configurable payloads and delivery options, not merely a proof-of-concept or scanner.

Repository contains a single substantive Python script, cve_2026_34621_advanced.py, plus a README. The script is an exploit generator rather than a direct network exploit: it builds a malicious PDF intended to trigger claimed CVE-2026-34621 in Adobe Acrobat/Reader via embedded JavaScript. Based on the visible code and README, the workflow is: parse CLI options, generate a cross-platform JavaScript payload, optionally obfuscate it with polymorphic techniques, embed it into a PDF with selectable trigger vectors, optionally merge with a lure PDF using PyPDF2, then write the PDF and produce HTML/TXT/JSON reports. Main capabilities described in the repository include Windows/macOS command execution, staged payload retrieval from attacker-controlled URLs, optional persistence, execution delay, hostname/environment keying, and multiple JavaScript obfuscation levels. The README explicitly documents offensive examples such as PowerShell download-and-execute, curl|bash, and a Python reverse shell callback to 10.0.0.5:4444. The code excerpt confirms supporting components such as RandomUtils, JavaScriptObfuscator, PayloadGenerator, PDFGenerator, ReportGenerator, and a main() routine orchestrating payload generation and file output. Attack vector is primarily file-based: the operator generates a malicious PDF and delivers it to a victim, who must open it in a vulnerable Adobe product. A secondary web/network aspect exists when staged payload URLs are used by the embedded commands. No evidence suggests this is merely a detector or README-only repository. Although the provided code is truncated, the repository appears operational as a PDF exploit generator with configurable payload execution rather than a simple proof-of-concept trigger.