Foxit Reader 5.4.3.0920 – Crash (PoC)

• Exploit Database
• 18 阅读

• 作者： coolkaveh
  日期： 2012-10-01
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/21645/

• Title:Foxit Reader suffers from Division By Zero
  Version:5.4.3.0920 
  Date :2012-09-28
  Vendor :http://www.foxitsoftware.com/
  Impact :Med/High
  Contact:coolkaveh [at] rocketmail.com
  Twitter:@coolkaveh
  tested :XP SP3
  #####################################################################
  Bug :
  ----
  division by zero vulnerability during the handling of the pdf files.
  that will trigger a denial of service condition
  
  #####################################################################
  (b34.f24): Integer divide-by-zero - code c0000094 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=ffffffff 
  ebx=00000000 
  ecx=00000000 
  edx=00000000 
  esi=00000000 
  edi=00000000
  eip=00558c8c 
  esp=0012f928 
  ebp=00000000 
  iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
  *** ERROR: Module load completed but symbols could not be loaded for FoxitReader_Lib_Full.exe
  FoxitReader_Lib_Full+0x158c8c:
  00558c8c f7f7div eax,edi
  0:000> r;!exploitable -v;q
  eax=ffffffff 
  ebx=00000000 
  ecx=00000000 
  edx=00000000 
  esi=00000000 
  edi=00000000
  eip=00558c8c 
  esp=0012f928 
  ebp=00000000 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
  FoxitReader_Lib_Full+0x158c8c:
  00558c8c f7f7div eax,edi
  HostMachine\HostUser
  Executing Processor Architecture is x86
  Debuggee is in User Mode
  Debuggee is a live user mode debugging session on the local machine
  Event Type: Exception
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - 
  Exception Faulting Address: 0x558c8c
  First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)
  
  Faulting Instruction:00558c8c div eax,edi
  
  Basic Block:
  00558c8c div eax,edi
   Tainted Input Operands: ax, dx, eax, edi
  00558c8e cmp dword ptr [esp+3ch],eax
   Tainted Input Operands: eax
  00558c92 jae foxitreader_lib_full+0x158f06 (00558f06)
   Tainted Input Operands: CarryFlag
  
  Exception Hash (Major/Minor): 0x6461647c.0x64616453
  
  Stack Trace:
  FoxitReader_Lib_Full+0x158c8c
  Instruction Address: 0x0000000000558c8c
  
  Description: Integer Divide By Zero
  Short Description: DivideByZero
  Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full+0x0000000000158c8c (Hash=0x6461647c.0x64616453)
  #####################################################################
  
  Proof of concept .pdf included: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21645.pdf