CVE-2010-1797 PDF exploit for Foxit Reader <= 4.0

After the Jailbreakme PDF vulnerability explanation I'm gonna publish the proof of concept of the same vulnerability for Foxit Reader. This is a patched vuln for this product so I suppose there will be no problem with that. Like I said, we can use a 116-bytes shellcode without the necessity of another exploiting stage, so I've modified this calc.exe shellcode for this PoC.

This exploit generates a PDF file which can be used against Foxit Reader in Windows XP and Windows Vista. This is functional only for the latest versions of Foxit Reader but it's very easy to modify it for other ones (there is an example in the exploit for the 3.0). You can find the python script in the Exploits section or directly here. Enjoy it!! ;)

Enviado por jesparza el Lun, 2010/08/23 - 23:18.

#1Enviado por miki (no verificado) el Jue, 2010/09/02 - 05:34.

How does shellcode run

hi Jose,

Could you help to explain that: in your test code for foxit reader, how does the shellcode get to run?

In your code, you have pushed the shell code plus some return address and jump instruction into the stack. How does the argument stack overflow run the schell code?

Actually, I would like to know the entire procedure of your PoC.

thank you.

Miki

#2Enviado por jesparza el Vie, 2010/09/03 - 00:29.

How does shellcode run

Hi Miki,

this is a SEH overflow, so I overwrite the next SEH record with the jump instruction and the SE Handler with the address 0x401185 (this address can change depending on the version of Foxit Reader), containing the instructions pop-pop-ret. When the parsing function returns with an error the program crashes, because some elements it needs are overwritten by us, and the control is passed to the SEH Handler. Then, the pop-pop-ret instructions are executed and the address of the next SEH record is placed in the EIP register and the jump to our shellcode will be executed.

I hope this can help you!

Cheers!

#3Enviado por miki (no verificado) el Jue, 2010/09/02 - 10:56.

Where does instruction 0x90908AEB jump to?

Hi Jose,

I suppose the instruction x090908AEB at the address 0x12FA5C does a short jump with offset 0x8A. But where does this jump go to? 0x12FA5C + 0x8A or 0x12FA5C - 0x8A? It should be 0x12FA5c - 0x8A, right? Because only in this way, the shell code can run subsequently.

In Comex's jailbreakme, what is the jump opcode and offset to jump?

Thank you.

Best Regards,
Miki

#4Enviado por jesparza el Vie, 2010/09/03 - 00:46.

Where does instruction 0x90908AEB jump to?

Hi Miki,

as you say this is a jump to the shellcode, located before than the address of the jump. About how the exploit for Apple products exactly works, really I don't know because I've not tested it, sorry, but I think it's not the same way as mine.

Cheers!

#5Enviado por miki (no verificado) el Vie, 2010/09/03 - 04:29.

I got it, Jose. Thank you.

After reading "understanding SEH exploitation" by Donny, I am clear about the exploit already.

Cheers

#6Enviado por Viola Davis (no verificado) el Jue, 2013/10/10 - 13:31.

Yeah, most of the free and

Yeah, most of the free and simple PDF readers have a lot of vulnerabilities. But, an important thing to note is, nobody really cares about this. Or nobody has a clear idea about this vulnerability. People tend to avoid using Adobe reader which is secure and go for this alternatives because of the high memory usage by the same.