Foxit Reader 5.4.3.0920 - Crash (PoC)

EDB-ID:

21645

CVE:


EDB Verified:

Author:

coolkaveh

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2012-10-01

Vulnerable App: 
Title            :  Foxit Reader suffers from Division By Zero
Version          :  5.4.3.0920 
Date             :  2012-09-28
Vendor           :  http://www.foxitsoftware.com/
Impact           :  Med/High
Contact          :  coolkaveh [at] rocketmail.com
Twitter          :  @coolkaveh
tested           :  XP SP3
#####################################################################
Bug :
----
division by zero vulnerability during the handling of the pdf files.
that will trigger a denial of service condition

#####################################################################
(b34.f24): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff 
ebx=00000000 
ecx=00000000 
edx=00000000 
esi=00000000 
edi=00000000
eip=00558c8c 
esp=0012f928 
ebp=00000000 
iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Module load completed but symbols could not be loaded for FoxitReader_Lib_Full.exe
FoxitReader_Lib_Full+0x158c8c:
00558c8c f7f7            div     eax,edi
0:000> r;!exploitable -v;q
eax=ffffffff 
ebx=00000000 
ecx=00000000 
edx=00000000 
esi=00000000 
edi=00000000
eip=00558c8c 
esp=0012f928 
ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
FoxitReader_Lib_Full+0x158c8c:
00558c8c f7f7            div     eax,edi
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
Exception Faulting Address: 0x558c8c
First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)

Faulting Instruction:00558c8c div eax,edi

Basic Block:
    00558c8c div eax,edi
       Tainted Input Operands: ax, dx, eax, edi
    00558c8e cmp dword ptr [esp+3ch],eax
       Tainted Input Operands: eax
    00558c92 jae foxitreader_lib_full+0x158f06 (00558f06)
       Tainted Input Operands: CarryFlag

Exception Hash (Major/Minor): 0x6461647c.0x64616453

Stack Trace:
FoxitReader_Lib_Full+0x158c8c
Instruction Address: 0x0000000000558c8c

Description: Integer Divide By Zero
Short Description: DivideByZero
Recommended Bug Title: Integer Divide By Zero starting at FoxitReader_Lib_Full+0x0000000000158c8c (Hash=0x6461647c.0x64616453)
#####################################################################

Proof of concept .pdf included: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21645.pdf
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services