CVE-2010-1797 PDF exploit for Foxit Reader <= 4.0

After the Jailbreakme PDF vulnerability explanation I'm gonna publish the proof of concept of the same vulnerability for Foxit Reader. This is a patched vuln for this product so I suppose there will be no problem with that. Like I said, we can use a 116-bytes shellcode without the necessity of another exploiting stage, so I've modified this calc.exe shellcode for this PoC.

This exploit generates a PDF file which can be used against Foxit Reader in Windows XP and Windows Vista.  This is functional only for the latest versions of Foxit Reader but it's very easy to modify it for other ones (there is an example in the exploit for the 3.0). You can find the python script in the Exploits section or directly here. Enjoy it!! ;)

How does shellcode run

hi Jose,

Could you help to explain that: in your test code for foxit reader, how does the shellcode get to run?

In your code, you have pushed the shell code plus some return address and jump instruction into the stack. How does the argument stack overflow run the schell code?

Actually, I would like to know the entire procedure of your PoC.

thank you.

Miki

How does shellcode run

Hi Miki,

this is a SEH overflow, so I overwrite the next SEH record with the jump instruction and the SE Handler with the address 0x401185 (this address can change depending on the version of Foxit Reader), containing the instructions pop-pop-ret. When the parsing function returns with an error the program crashes, because some elements it needs are overwritten by us, and the control is passed to the SEH Handler. Then, the pop-pop-ret instructions are executed and the address of the next SEH record is placed in the EIP register and the jump to our shellcode will be executed.

I hope this can help you!

Cheers!

Where does instruction 0x90908AEB jump to?

Hi Jose,

I suppose the instruction x090908AEB at the address 0x12FA5C does a short jump with offset 0x8A. But where does this jump go to? 0x12FA5C + 0x8A or 0x12FA5C - 0x8A? It should be 0x12FA5c - 0x8A, right? Because only in this way, the shell code can run subsequently.

In Comex's jailbreakme, what is the jump opcode and offset to jump?

Thank you.

Best Regards,
Miki

Where does instruction 0x90908AEB jump to?

Hi Miki,

as you say this is a jump to the shellcode, located before than the address of the jump. About how the exploit for Apple products exactly works, really I don't know because I've not tested it, sorry, but I think it's not the same way as mine.

Cheers!

I got it, Jose. Thank you.

After reading "understanding SEH exploitation" by Donny, I am clear about the exploit already.

Cheers

Yeah, most of the free and

Yeah, most of the free and simple PDF readers have a lot of vulnerabilities. But, an important thing to note is, nobody really cares about this. Or nobody has a clear idea about this vulnerability. People tend to avoid using Adobe reader which is secure and go for this alternatives because of the high memory usage by the same.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.