PoC

CVE-2010-1797 PDF exploit for Foxit Reader <= 4.0

After the Jailbreakme PDF vulnerability explanation I'm gonna publish the proof of concept of the same vulnerability for Foxit Reader. This is a patched vuln for this product so I suppose there will be no problem with that. Like I said, we can use a 116-bytes shellcode without the necessity of another exploiting stage, so I've modified this calc.exe shellcode for this PoC.

This exploit generates a PDF file which can be used against Foxit Reader in Windows XP and Windows Vista.  This is functional only for the latest versions of Foxit Reader but it's very easy to modify it for other ones (there is an example in the exploit for the 3.0). You can find the python script in the Exploits section or directly here. Enjoy it!! ;)

Exploits

foxit40_type2.py
Vulnerability: FreeType Compact Font Format (CFF) Stack Based Buffer Overflow [CVE-2010-1797] [BID-42241]
Affected product: Foxit Reader <= 4.0
Platform: Windows XP, Windows Vista
Type: Code execution
Publication date: 2010-08-23

opal228_dos.py
Vulnerability: OPAL SIP Protocol Remote Denial of Service [CVE-2007-04924] [BID-25955] [S21sec-037]
Affected product: OPAL <= 2.2.8 (also the applications which use this library, for example Ekiga <= 2.0.9)
Platform: Any
Type: Remote Denial of Service

My HelloWorld PDF

Before I continue with the different actions we can perform within a PDF file I'm gonna create a simple PDF file which we can modify easily. If you open a PDF with any text editor you'll see a lot of objects and elements that can confuse you a bit. In order to avoid this let's make a PDF document from scratch with a text editor, without all the unnecessary elements.

We must begin knowing which of the PDF elements are obligatory and must be present in our file. I've written some weeks ago about the physic and logic structure of these types of documents so I'll only enumerate what we'll need:

Distribuir contenido