SlimPDF Reader PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SlimPDF Reader PoC
# Published : 2011-05-12
# Author :
# Previous Title : 1ClickUnzip 3.00 .ZIP File Heap Overflow Vulnerability
# Next Title : Brother HL-5370DW series auth bypass printer flooder
Slimpdf Reader from investintech,
http://www.investintech.com/resources/freetools/slimpdfreader/ is prone to
several overflows that can lead to code execution.  The crash below is
triggered by simply adding 50.000 random characters in the header of a pdf
file. Initial bug and directions to exploitation were given from Jason
Kratzer.

PoC at http://www.deventum.com/research/crash_slimpdf.pdf

CommandLine: "C:Program FilesInvestintech.com IncSlimPDF ReaderSlimPDF
Reader.exe"

Executable search path is:
ModLoad: 00400000 00776000   SlimPDF Reader.exe
ModLoad: 779c0000 77afd000   ntdll.dll
ModLoad: 76990000 76a64000   C:Windowssystem32kernel32.dll
ModLoad: 75e10000 75e5a000   C:Windowssystem32KERNELBASE.dll
ModLoad: 77920000 779c0000   C:Windowssystem32ADVAPI32.dll
ModLoad: 77870000 7791c000   C:Windowssystem32msvcrt.dll
ModLoad: 75e70000 75e89000   C:WindowsSYSTEM32sechost.dll
ModLoad: 77760000 77801000   C:Windowssystem32RPCRT4.dll
ModLoad: 76470000 76539000   C:Windowssystem32USER32.dll
ModLoad: 767e0000 7682e000   C:Windowssystem32GDI32.dll
ModLoad: 762c0000 762ca000   C:Windowssystem32LPK.dll
ModLoad: 75f70000 7600d000   C:Windowssystem32USP10.dll
ModLoad: 75ef0000 75f6b000   C:Windowssystem32COMDLG32.dll
ModLoad: 75e90000 75ee7000   C:Windowssystem32SHLWAPI.dll
ModLoad: 74a40000 74bde000
C:WindowsWinSxSx86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bdCOMCTL32.dll
ModLoad: 76a80000 776c9000   C:Windowssystem32SHELL32.dll
ModLoad: 6cbf0000 6cc41000   C:Windowssystem32WINSPOOL.DRV
ModLoad: 6ab80000 6ab9c000   C:Windowssystem32oledlg.dll
ModLoad: 76830000 7698c000   C:Windowssystem32ole32.dll
ModLoad: 776d0000 7775f000   C:Windowssystem32OLEAUT32.dll
ModLoad: 76540000 76575000   C:Windowssystem32WS2_32.dll
ModLoad: 76a70000 76a76000   C:Windowssystem32NSI.dll
ModLoad: 74730000 748c0000
C:WindowsWinSxSx86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225cagdiplus.dll
ModLoad: 76580000 7669a000   C:Windowssystem32WININET.dll
ModLoad: 75e60000 75e63000   C:Windowssystem32Normaliz.dll
ModLoad: 76100000 762b6000   C:Windowssystem32iertutil.dll
ModLoad: 766a0000 767b0000   C:Windowssystem32urlmon.dll
(9d8.c1c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0012fb0c edx=77a06344 esi=fffffffe
edi=00000000
eip=77a5ebbe esp=0012fb28 ebp=0012fb54 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x633:
77a5ebbe cc              int     3
0:000> g
ModLoad: 76010000 7602f000   C:Windowssystem32IMM32.DLL
ModLoad: 76030000 760fc000   C:Windowssystem32MSCTF.dll
ModLoad: 748c0000 74900000   C:Windowssystem32uxtheme.dll
ModLoad: 73650000 7365f000   C:Windowssystem32inetmib1.dll
ModLoad: 73b90000 73bac000   C:Windowssystem32IPHLPAPI.DLL
ModLoad: 730d0000 730d7000   C:Windowssystem32WINNSI.DLL
ModLoad: 6c8d0000 6c8d9000   C:Windowssystem32snmpapi.dll
ModLoad: 75ab0000 75abc000   C:Windowssystem32CRYPTBASE.dll
ModLoad: 74480000 74493000   C:Windowssystem32dwmapi.dll
ModLoad: 77810000 77815000   C:Windowssystem32psapi.dll
ModLoad: 77b00000 77b83000   C:Windowssystem32CLBCatQ.DLL
ModLoad: 6afe0000 6b038000   C:Program FilesCommon Filesmicrosoft
sharedinktiptsf.dll
ModLoad: 74270000 7436b000   C:Windowssystem32WindowsCodecs.dll
ModLoad: 75a60000 75aab000   C:Windowssystem32apphelp.dll
ModLoad: 6bdc0000 6bdf1000   C:Windowssystem32EhStorShell.dll
ModLoad: 762d0000 7646d000   C:Windowssystem32SETUPAPI.dll
ModLoad: 75d20000 75d47000   C:Windowssystem32CFGMGR32.dll
ModLoad: 75d00000 75d12000   C:Windowssystem32DEVOBJ.dll
ModLoad: 74900000 749f5000   C:Windowssystem32PROPSYS.dll
ModLoad: 6bd50000 6bdba000   C:WindowsSystem32cscui.dll
ModLoad: 6bd40000 6bd49000   C:WindowsSystem32CSCDLL.dll
ModLoad: 714e0000 714eb000   C:Windowssystem32CSCAPI.dll
ModLoad: 6bcd0000 6bd3f000   C:Windowssystem32ntshrui.dll
ModLoad: 757f0000 75809000   C:Windowssystem32srvcli.dll
ModLoad: 73cf0000 73cfa000   C:Windowssystem32slc.dll
ModLoad: 74ea0000 74ec1000   C:Windowssystem32ntmarta.dll
ModLoad: 77820000 77865000   C:Windowssystem32WLDAP32.dll
ModLoad: 75b60000 75b6b000   C:Windowssystem32profapi.dll
ModLoad: 755e0000 755f6000   C:Windowssystem32CRYPTSP.dll
ModLoad: 75380000 753bb000   C:Windowssystem32rsaenh.dll
ModLoad: 75b20000 75b2e000   C:Windowssystem32RpcRtRemote.dll
ModLoad: 66030000 6608c000   C:WindowsSystem32StructuredQuery.dll
ModLoad: 75900000 75908000   C:WindowsSystem32Secur32.dll
ModLoad: 75a40000 75a5a000   C:Windowssystem32SSPICLI.DLL
ModLoad: 6b450000 6b49e000   C:Windowssystem32actxprxy.dll
ModLoad: 665e0000 66612000   C:Program FilesInternet Explorerieproxy.dll
ModLoad: 67620000 67636000   C:Windowssystem32thumbcache.dll
ModLoad: 6b3f0000 6b41e000   C:Windowssystem32SHDOCVW.dll
ModLoad: 69f80000 6a8c5000   C:Windowssystem32ieframe.DLL
ModLoad: 72bb0000 72bec000   C:Windowssystem32OLEACC.dll
ModLoad: 73440000 734df000   C:Windowssystem32SearchFolder.dll
ModLoad: 6a9e0000 6ab78000   C:Windowssystem32NetworkExplorer.dll
ModLoad: 6b4d0000 6b4d9000   C:Windowssystem32LINKINFO.dll
ModLoad: 74120000 7412f000   C:Windowssystem32samcli.dll
ModLoad: 74a00000 74a12000   C:Windowssystem32SAMLIB.dll
ModLoad: 74140000 74149000   C:Windowssystem32netutils.dll
(9d8.c1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01d32eb0 ebx=01d1fdc8 ecx=01d2fd68 edx=00000150 esi=01d32e08
edi=01d2fde8
eip=004419c4 esp=0012ebcc ebp=0012ebe8 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
*** WARNING: Unable to verify checksum for SlimPDF Reader.exe
*** ERROR: Module load completed but symbols could not be loaded for SlimPDF
Reader.exe
SlimPDF_Reader+0x419c4:
004419c4 880c02          mov     byte ptr [edx+eax],cl
ds:0023:01d33000=??
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
SlimPDF_Reader+0x00000000000419c4 (Hash=0x566e1f14.0x18331e13)

User mode write access violations that are not near NULL are exploitable.

POC: http://www.exploit-db.com/sploits/17274.poc.tar.gz