1

I am using a Flash exploit from metasploit, exploit/multi/browser/adobe_flash_hacking_team_uaf. The Cisco FirePOWER services notice these signatures and drop the packets.

I was wondering about the function msfencode, which encodes your payload. Is it possible to use this function to encode your exploit?

Ulf
  • 21
  • 2

1 Answers1

2

It is not possible to encode the exploit as you would encode a payload. The reason is that the data that is part of an exploit is directly processed by the vulnerable application (in this case Flash). The function inside the Flash binary which process the exploit data won't decode it first. In case of payloads we can encode it because when the payload gets executed, we already have code execution privileges on the box so we can first decode the payload and then execute it.

There are a lot of ways through which you can bypass the signature based IDS rules. I am not sure if you have access to the actual signature code (most probably the regex) but if you have, you can study it and see what it is looking for. In my past experience with Cisco ASA IDS, the signatures were so dump you can practically replace ' OR '1'='1' -- with ' OR '1000'='1000' -- and it would work.

void_in
  • 5,541
  • 1
  • 20
  • 28
  • Cisco rule is: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player integer underflow attempt"; flow:to_client,established; file_data; content:"|9B 89 31 7C 10 9E 9D D4 1B 8D 94 88 82 38 64 89 47 7B 29 0E C2 37 74 BC EE 13 63 F4 61 30 3D 9A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-0497; classtype:attempted-user; sid:37808; rev:1; ) – Ulf Jun 15 '16 at 12:03
  • How can I change the shellcode of the metasploit exploit? I rly have no idea. Here is the code: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb – Ulf Jun 15 '16 at 12:04
  • Is this possible by this way? http://noxxi.de/research/sophos-utm-webprotection-bypass.html – Ulf Jun 15 '16 at 12:17
  • You will have to change the swf file served by the module https://github.com/rapid7/metasploit-framework/blob/17f0a0770fcd1acc01c6110463b9a4fd3aaee825/data/exploits/CVE-2015-5119/msf.swf. Source of the swf is at https://github.com/rapid7/metasploit-framework/tree/17f0a0770fcd1acc01c6110463b9a4fd3aaee825/external/source/exploits/CVE-2015-5119 – void_in Jun 15 '16 at 15:03