module
Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
| Disclosed | Created |
|---|---|
| 2013-05-30 | 2018-05-30 |
Disclosed
2013-05-30
Created
2018-05-30
Description
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx. When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, resulting in arbitrary code execution under the
context of the user.
Also note that since the WinExec function is used to call the default browser,
you must be aware that: 1) The default must be Internet Explorer, and 2) when the
exploit runs, another browser will pop up.
Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,
which is how the vulnerability was found and publicly disclosed.
component, specifically PDF_IN_1.ocx. When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, resulting in arbitrary code execution under the
context of the user.
Also note that since the WinExec function is used to call the default browser,
you must be aware that: 1) The default must be Internet Explorer, and 2) when the
exploit runs, another browser will pop up.
Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,
which is how the vulnerability was found and publicly disclosed.
Authors
h1ch4m
sinn3r sinn3r@metasploit.com
sinn3r sinn3r@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.