Immunity Canvas: ADOBE_FLASH_COPYPIXELSTOBYTEARRAY

This module exploits a heap based buffer overflow on Adobe Flash Player when
copying data from a BitmapData object to a ByteArray object with the position
attribute set near 0xffffffff.

It corrupts a number vector’s length to obtain arbitrary memory read and write.
It bypasses ASLR leaking an object vector vtable pointer and builds the ROP
dinamically.

The x64 version of the exploits doesn’t build the ROP dinamically as there
doesn’t seem to be a way to read the whole memory, arrays and bytearrays
only support 32 bits indexes, so the maxium amount of memory we can read is 4GB.
Also, you need to setup a WIN64 MOSDEF INTEL listener in order for the callback
process to work, as the InjectToSelf shellcode doesn’t support Universal MOSDEF
yet.

Tested on:
Windows 7 x32 SP1 with IE 8 32 bits (Flash 14.0.0.145)
Windows 7 x64 SP1 with IE 8 32 bits (Flash 14.0.0.145)

Windows 7 x64 SP1 with IE 8 64 bits (Flash 14.0.0.145)

Usage:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_regexp -O auto_detect_exploits:0
python commandlineInterface.py -v 17 -p5555

VersionsAffected: Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows
Repeatability: One-shot
References: [‘http://googleprojectzero.blogspot.com.ar/2014/09/exploiting-cve-2014-0556-in-flash.html’]
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0556
Date public: 09/07/2014