ExploitFixes
SlimPDF Reader PoC 2011-05-12 12:15:04

Slimpdf Reader from investintech,
http://www.investintech.com/resources/freetools/slimpdfreader/ is prone to
several overflows that can lead to code execution. The crash below is
triggered by simply adding 50.000 random characters in the header of a pdf
file. Initial bug and directions to exploitation were given from Jason
Kratzer.

PoC at http://www.deventum.com/research/crash_slimpdf.pdf

CommandLine: "C:\Program Files\Investintech.com Inc\SlimPDF Reader\SlimPDF
Reader.exe"

Executable search path is:
ModLoad: 00400000 00776000 SlimPDF Reader.exe
ModLoad: 779c0000 77afd000 ntdll.dll
ModLoad: 76990000 76a64000 C:\Windows\system32\kernel32.dll
ModLoad: 75e10000 75e5a000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 77920000 779c0000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 77870000 7791c000 C:\Windows\system32\msvcrt.dll
ModLoad: 75e70000 75e89000 C:\Windows\SYSTEM32\sechost.dll
ModLoad: 77760000 77801000 C:\Windows\system32\RPCRT4.dll
ModLoad: 76470000 76539000 C:\Windows\system32\USER32.dll
ModLoad: 767e0000 7682e000 C:\Windows\system32\GDI32.dll
ModLoad: 762c0000 762ca000 C:\Windows\system32\LPK.dll
ModLoad: 75f70000 7600d000 C:\Windows\system32\USP10.dll
ModLoad: 75ef0000 75f6b000 C:\Windows\system32\COMDLG32.dll
ModLoad: 75e90000 75ee7000 C:\Windows\system32\SHLWAPI.dll
ModLoad: 74a40000 74bde000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\COMCTL32.dll
ModLoad: 76a80000 776c9000 C:\Windows\system32\SHELL32.dll
ModLoad: 6cbf0000 6cc41000 C:\Windows\system32\WINSPOOL.DRV
ModLoad: 6ab80000 6ab9c000 C:\Windows\system32\oledlg.dll
ModLoad: 76830000 7698c000 C:\Windows\system32\ole32.dll
ModLoad: 776d0000 7775f000 C:\Windows\system32\OLEAUT32.dll
ModLoad: 76540000 76575000 C:\Windows\system32\WS2_32.dll
ModLoad: 76a70000 76a76000 C:\Windows\system32\NSI.dll
ModLoad: 74730000 748c0000
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll
ModLoad: 76580000 7669a000 C:\Windows\system32\WININET.dll
ModLoad: 75e60000 75e63000 C:\Windows\system32\Normaliz.dll
ModLoad: 76100000 762b6000 C:\Windows\system32\iertutil.dll
ModLoad: 766a0000 767b0000 C:\Windows\system32\urlmon.dll
(9d8.c1c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0012fb0c edx=77a06344 esi=fffffffe
edi=00000000
eip=77a5ebbe esp=0012fb28 ebp=0012fb54 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000246
ntdll!LdrVerifyImageMatchesChecksum+0x633:
77a5ebbe cc int 3
0:000> g
ModLoad: 76010000 7602f000 C:\Windows\system32\IMM32.DLL
ModLoad: 76030000 760fc000 C:\Windows\system32\MSCTF.dll
ModLoad: 748c0000 74900000 C:\Windows\system32\uxtheme.dll
ModLoad: 73650000 7365f000 C:\Windows\system32\inetmib1.dll
ModLoad: 73b90000 73bac000 C:\Windows\system32\IPHLPAPI.DLL
ModLoad: 730d0000 730d7000 C:\Windows\system32\WINNSI.DLL
ModLoad: 6c8d0000 6c8d9000 C:\Windows\system32\snmpapi.dll
ModLoad: 75ab0000 75abc000 C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74480000 74493000 C:\Windows\system32\dwmapi.dll
ModLoad: 77810000 77815000 C:\Windows\system32\psapi.dll
ModLoad: 77b00000 77b83000 C:\Windows\system32\CLBCatQ.DLL
ModLoad: 6afe0000 6b038000 C:\Program Files\Common Files\microsoft
shared\ink\tiptsf.dll
ModLoad: 74270000 7436b000 C:\Windows\system32\WindowsCodecs.dll
ModLoad: 75a60000 75aab000 C:\Windows\system32\apphelp.dll
ModLoad: 6bdc0000 6bdf1000 C:\Windows\system32\EhStorShell.dll
ModLoad: 762d0000 7646d000 C:\Windows\system32\SETUPAPI.dll
ModLoad: 75d20000 75d47000 C:\Windows\system32\CFGMGR32.dll
ModLoad: 75d00000 75d12000 C:\Windows\system32\DEVOBJ.dll
ModLoad: 74900000 749f5000 C:\Windows\system32\PROPSYS.dll
ModLoad: 6bd50000 6bdba000 C:\Windows\System32\cscui.dll
ModLoad: 6bd40000 6bd49000 C:\Windows\System32\CSCDLL.dll
ModLoad: 714e0000 714eb000 C:\Windows\system32\CSCAPI.dll
ModLoad: 6bcd0000 6bd3f000 C:\Windows\system32\ntshrui.dll
ModLoad: 757f0000 75809000 C:\Windows\system32\srvcli.dll
ModLoad: 73cf0000 73cfa000 C:\Windows\system32\slc.dll
ModLoad: 74ea0000 74ec1000 C:\Windows\system32\ntmarta.dll
ModLoad: 77820000 77865000 C:\Windows\system32\WLDAP32.dll
ModLoad: 75b60000 75b6b000 C:\Windows\system32\profapi.dll
ModLoad: 755e0000 755f6000 C:\Windows\system32\CRYPTSP.dll
ModLoad: 75380000 753bb000 C:\Windows\system32\rsaenh.dll
ModLoad: 75b20000 75b2e000 C:\Windows\system32\RpcRtRemote.dll
ModLoad: 66030000 6608c000 C:\Windows\System32\StructuredQuery.dll
ModLoad: 75900000 75908000 C:\Windows\System32\Secur32.dll
ModLoad: 75a40000 75a5a000 C:\Windows\system32\SSPICLI.DLL
ModLoad: 6b450000 6b49e000 C:\Windows\system32\actxprxy.dll
ModLoad: 665e0000 66612000 C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 67620000 67636000 C:\Windows\system32\thumbcache.dll
ModLoad: 6b3f0000 6b41e000 C:\Windows\system32\SHDOCVW.dll
ModLoad: 69f80000 6a8c5000 C:\Windows\system32\ieframe.DLL
ModLoad: 72bb0000 72bec000 C:\Windows\system32\OLEACC.dll
ModLoad: 73440000 734df000 C:\Windows\system32\SearchFolder.dll
ModLoad: 6a9e0000 6ab78000 C:\Windows\system32\NetworkExplorer.dll
ModLoad: 6b4d0000 6b4d9000 C:\Windows\system32\LINKINFO.dll
ModLoad: 74120000 7412f000 C:\Windows\system32\samcli.dll
ModLoad: 74a00000 74a12000 C:\Windows\system32\SAMLIB.dll
ModLoad: 74140000 74149000 C:\Windows\system32\netutils.dll
(9d8.c1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01d32eb0 ebx=01d1fdc8 ecx=01d2fd68 edx=00000150 esi=01d32e08
edi=01d2fde8
eip=004419c4 esp=0012ebcc ebp=0012ebe8 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
*** WARNING: Unable to verify checksum for SlimPDF Reader.exe
*** ERROR: Module load completed but symbols could not be loaded for SlimPDF
Reader.exe
SlimPDF_Reader+0x419c4:
004419c4 880c02 mov byte ptr [edx+eax],cl
ds:0023:01d33000=??
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
SlimPDF_Reader+0x00000000000419c4 (Hash=0x566e1f14.0x18331e13)

User mode write access violations that are not near NULL are exploitable.

POC: http://www.exploit-db.com/sploits/17274.poc.tar.gz