10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Name | adobe_flash_copypixelstobytearray |
---|---|
CVE | CVE-2014-0556 Exploit Pack |
VENDOR: Adobe | |
Notes: |
This module exploits a heap based buffer overflow on Adobe Flash Player when
copying data from a BitmapData object to a ByteArray object with the position
attribute set near 0xffffffff.
It corrupts a number vector’s length to obtain arbitrary memory read and write.
It bypasses ASLR leaking an object vector vtable pointer and builds the ROP
dinamically.
The x64 version of the exploits doesn’t build the ROP dinamically as there
doesn’t seem to be a way to read the whole memory, arrays and bytearrays
only support 32 bits indexes, so the maxium amount of memory we can read is 4GB.
Also, you need to setup a WIN64 MOSDEF INTEL listener in order for the callback
process to work, as the InjectToSelf shellcode doesn’t support Universal MOSDEF
yet.
Tested on:
Windows 7 x32 SP1 with IE 8 32 bits (Flash 14.0.0.145)
Windows 7 x64 SP1 with IE 8 32 bits (Flash 14.0.0.145)
Windows 7 x64 SP1 with IE 8 64 bits (Flash 14.0.0.145)
Usage:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_regexp -O auto_detect_exploits:0
python commandlineInterface.py -v 17 -p5555
VersionsAffected: Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows
Repeatability: One-shot
References: [‘http://googleprojectzero.blogspot.com.ar/2014/09/exploiting-cve-2014-0556-in-flash.html’]
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0556
Date public: 09/07/2014