New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Ghostscript failed restore exploit from taviso (CVE-2018-16509) #10564
Conversation
I know more about PostScript than I ever wanted to 😜 Regarding very long commands, you can try this to write out the command to a temp file then call % write string into a temp file, then the filename is on the stack
null (w) .tempfile dup (very long command here) writestring closefile
% prepend %pipe%sh, so it will be (%pipe%sh /tmp/whatever)
(%pipe%sh ) exch concatstrings
% roll (adjust the stack) to put parameters in the right order, then execute
mark /OutputFile 3 -1 roll currentdevice putdeviceprops AFAIK there is no limit to what you can write into tempfiles. |
If we could avoid writing files to storage, it would reduce detection and the chance of hitting a noxec mount... |
@sempervictus: Agreed, and this isn't a problem for the Unix payloads. We usually supply This is a problem with the PSH command, which gets a little too big too fast if fully encoded. So far Defender is catching it even without writing to disk. I'm hesitant to immediately play the cat-and-mouse game of AV evasion, though. Not for this. That said, I was able to get a Meterpreter shell using PSH delivery. I'll need to upload my testing notes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can do the staging trick normally done via env vars using the web-client or named pipes as the staging ground, assuming we can't figure out a way to deliver internally.
Stupid question: Would rapid7/rex-powershell#14 fix the length issue? |
Buttons are too close! |
modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
Outdated
Show resolved
Hide resolved
Adequate:
We will want to implement module suggestions in the future, perhaps leveraging #10563. Module deprecations might be refactored as a result. |
3a57aba
to
3b7bf66
Compare
eac0350
to
78292d5
Compare
Missed in 3567071.
The hype is over, and the target was provided as a bonus. Now update the module language to reflect that.
78292d5
to
f34146b
Compare
Seems to work for me:
|
Linux payload works for me too. |
Release NotesThis module exploits a |
@taviso: Successfully tested against CentOS as referenced in https://bugs.chromium.org/p/project-zero/issues/detail?id=1640#c9. On the older Ghostscript, I was limited to 253 bytes as per http://git.ghostscript.com/?p=ghostpdl.git;a=blobdiff;f=gs/base/gp.h;h=829a782fd342b0d6b3d47420af1bdee58ef67a45;hp=d1b8fa663e5fe9a5a6a76b659114ad05bfe65dee;hb=fe0b8fcfb69246cbea99b85f453ed6c3c83f4592;hpb=83b6646951fee8fe153d14d3e2d7da75894b922a. Curiously, Equally interesting is the same test scenario against stock Ubuntu:
The designated thumbnailer for PostScript is also Thanks for your efforts! ETA:
|
Depends on #10591
Resolves #10539.