As todb pointed out in the last weekly metasploit update wrapup we recently added two new exploits for Flash: CVE-2015-3090 and CVE-2015-3105, based on the samples found in the wild.

As you're probably aware, the last years, and especially the end of 2014 and 2015, Flash has become the trending target for browser exploits in the wild. Here is a summary of Flash vulnerabilities abused by different Exploit Kits. It is based on the contagiodump overview and the Malware Dont Need Coffe blog data. It also shows the vulnerabilities actually supported in Metasploit, and the targets for every exploit. It's just a summary, maybe the vulnerability set is not complete! I'm not a malware researcher after all!

Vulnerability Metasploit Targets
**CVE-2013-0634** Adobe Flash ActiveX
IE 32 bits on Windows XP SP3 and Windows 7 SP1
**CVE-2013-5329**
**CVE-2014-0497** Adobe Flash ActiveX
IE 32 bits on Windows XP SP3, Windows 7 SP1 and Windows 8
**CVE-2014-0502**
**CVE-2014-0515** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux
**CVE-2014-0556** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux
**CVE-2014-0569** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1 and Windows 8.1
**CVE-2014-8439**
**CVE-2014-8440** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1 and Windows 8.1
**CVE-2015-0310**
**CVE-2015-0311** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux
**CVE-2015-0313** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1 and Windows 8.1
**CVE-2015-0336** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux
**CVE-2015-0359** Adobe Flash ActiveX / IE 32 bits on Windows 7 SP1

Adobe Flash Plugin / Firefox 32 bits on Windows 7 SP1 and Windows 8.1
**CVE-2015-3043**
**CVE-2015-3090** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux
**CVE-2015-3104**
**CVE-2015-3105** Adobe Flash ActiveX
IE 32 bits on Windows 7 SP1

Adobe Flash Plugin
Firefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux
**CVE-2015-3113**

As you can read, we are doing our best to keep the Framework up to date with Flash vulnerabilities exploited in the wild, so hopefully people can simulate/test them from a confident source. Because of the amount of Flash exploits, we've added a kind of Flash exploitation library to make easier the task of adding them to the framework. We'd like to share 5 cents about how to use this code.

Let me start by refreshing our memory... Since 2013 Oct 2012 (thanks Haifei Lei) a common technique to exploit Flash vulnerabilities has been to abuse the AS3 Vectors, for both spraying and to achieve full memory read/write. It is facilitated by the Flash allocator and the own Vector object layout, whose length lives together with its data. The abuse of these objects has been well explained in the past. The first (and excellent) explanation which I can remind is the one provided by Haifei Li in his article Smashing the Heap with Vector: Advanced Exploitation Technique in Recent Flash Zero-day Attack. And it is precisely the technique used by the exploits in the Framework. Since I don't think I can explain it better than Haifei Li I recommend you to check the above link before going ahead, in case you're not familiar with the topic.

That said, back to the Metasploit Framework, let me start by helping you to locate the source code for the Flash exploitation library in the code base. It can be found on the data directory, at data/external/source/flash_exploiter path. Actually it supports exploitation for Adobe Flash (32 bits), ActiveX and plugin versions, for both Windows and Linux platforms. (Remark: we're not testing Flash coming with Google Chrome and IE since Windows 8, so the exploits available on MSF don't cover these targets actually). Last but not least, worths to say this code uses some ideas from @hdarwin89, whose flash exploits can be found on its own repository.

So, summarizing, the goal is which new Flash exploits just need to provide an "Exploit" class. An Exploit object must be able to corrupt a Vector.<uint>'s length with the value 0x3fffffff or longer. Once this condition has been achieved the Exploit just needs to create a new "Exploiter" instance and allow the magic to happen. Here is an "Exploit" template:

package  
{  
    import flash.display.Sprite  
    import flash.display.LoaderInfo  
    import mx.utils.Base64Decoder  
    import flash.utils.ByteArray  
  
  
    public class Exploit extends Sprite  
    {  
        private var uv:Vector.<uint>  
        private var b64:Base64Decoder = new Base64Decoder()  
        private var payload:ByteArray  
        private var platform:String  
        private var os:String  
        private var exploiter:Exploiter  
     
        public function Exploit()  
        {  
            platform = LoaderInfo(this.root.loaderInfo).parameters.pl  
            os = LoaderInfo(this.root.loaderInfo).parameters.os  
            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh  
            var pattern:RegExp = / /g;  
            b64_payload = b64_payload.replace(pattern, "+")  
            b64.decode(b64_payload)  
            payload = b64.toByteArray()  
  
            /* 
                The exploit code here. The goal is to corrupt the uv vector length with 0x3fffffff or bigger. 
            */  
  
            exploiter = new Exploiter(this, platform, os, payload, uv, 0x13e)  
        }  
    }  
}  

A couple of things to take into account. First of all, notice which the Exploit template get the platform and the operating system (as the shellcode) from FlashVars. It is because BrowserExploitServer provides this information from a prior stage, and we're using it, but you could get it by writing your own AS code on the exploit, of course.

The second important thing is the Exploiter constructor documentation, because it's the last call which the Exploit should do:

/* 
Creates an Exploiter instance and runs the exploitation magic 
 
* exp: Exploit object instance, its toString() vtable entry will be overwritten to achieve EIP. 
* pl: target platform, "linux" and "win" supported 
* os: target operating system for "win" platforms, "Windows 8.1" and "Windows 7" supported 
* p: ByteArray with the payload to execute 
* uv: Vector.<uint> whose length is overwritten with 0x3ffffffff or longer 
* uv_length: original uv's length, so the Exploiter can (hopefully) restore everything after exploitation. 
*/  
public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void  
 

Most of the Flash exploits in the framework have been written or migrated to use the Exploiter code, but be careful, because we keep updating the Exploiter code, and not all of them use the last version of the code! The Flash modules actually using the flash_exploiter code are: CVE-2014-0515, CVE-2014-0556, CVE-2014-0569, CVE-2014-8440, CVE-2015-0311, CVE-2015-0313, CVE-2015-0336, CVE-2015-0359, CVE-2015-3090 and CVE-2015-3105.

And that's all for today! Stay tuned for more Flash exploits and the new Browser Autopwn being developed by sinn3r. We find the combination of these a powerful way to simulate targeted campaigns on your next pentest!