Exploit for Use After Free in Adobe Acrobat_Dc CVE-2020-9715

Name: Exploit for Use After Free in Adobe Acrobat_Dc CVE-2020-9715
Rating: 5 (83 reviews)
2026-04-14 | CVSS 9.3
## https://sploitus.com/exploit?id=987C5F11-231A-508D-AF25-5658F0958ADB
# CVE-2020-9715 EDR Validation PoC

Use-after-free in Adobe Acrobat Reader DC's EScript.api ESObject cache. For authorized red team EDR testing only.

## Vulnerability

Adobe Acrobat Reader DC <= 2020.009.20063. The EScript engine caches data ESObjects with keys that preserve the original encoding (ANSI or Unicode). Deletion always constructs Unicode keys, so ANSI-named entries are never purged from the cache. After GC frees the underlying object, the stale cache entry becomes a dangling pointer.

## What the PoC Does

1. Embeds a data object with an ANSI-encoded name in the PDF
2. JavaScript `OpenAction` accesses `dataObjects` to populate the ESObject cache
3. Removes the reference and forces garbage collection
4. Heap sprays with `ArrayBuffer` allocations to reclaim the freed memory
5. Re-accesses the stale cached ESObject, triggering the use-after-free

This PoC triggers the vulnerability pattern but does **not** include a weaponized payload (no shellcode, no ROP chain). It is designed to validate whether your EDR detects the exploitation technique.

## Usage

```
python generate_poc.py              # Generates CVE-2020-9715.pdf
python generate_poc.py -o custom.pdf  # Custom output path
```

No external dependencies -- uses only Python standard library.

## Testing

1. Generate the PDF on your workstation
2. Transfer it to the gold image test machine
3. Open in Adobe Acrobat Reader DC
4. Observe EDR behavior:
   - **PASS**: EDR blocks/alerts on the JS heap spray + UAF access pattern
   - **FAIL**: PDF opens without EDR intervention, Reader may crash

## EDR Detection Signals

Your EDR should key on one or more of:
- JavaScript heap spray pattern (`ArrayBuffer` mass allocation)
- `dataObjects` access followed by forced GC and re-access (UAF pattern)
- Known CVE-2020-9715 signature in embedded JS
- Suspicious PDF structure: `OpenAction` + `EmbeddedFiles` + JavaScript

## Affected Versions

- Adobe Acrobat Reader DC <= 2020.009.20063
- Adobe Acrobat Reader 2017 <= 2017.011.30171
- Adobe Acrobat Reader 2015 <= 2015.006.30523

Patched in APSB20-48 (August 2020).