Immunity Canvas: ADOBE_FLASH_DOMAINMEMORY_UAF

This module exploits a use-after free vulnerability on the Flash handling of the
ApplicationDomain.currentDomain.domainMemory when working with worker threads.
When a worker thread clears the domainMemory ByteArray, the ByteArray is freed
but the main thread keeps a reference to the ByteArray.

Exploitation is done by placing a Vector object on hole created while
freeing the domainMemory ByteArray. By using memory intrinsic operations it is
still possible to edit the domainMemory memory. This allows us to change the
allocated vector’s size to 0xffffffff allowing us to read and write arbitrary
memory.

It bypasses ASLR leaking an object vector vtable pointer and builds the ROP
dinamically.

Tested on:
- Windows XP SP3 with IE 7 (Flash 16.0.0.296)
- Windows 7 x32 SP1 with IE 8 32 bits (Flash 16.0.0.296)
- Windows 7 x32 SP1 with IE 9 32 bits (Flash 16.0.0.296)
- Windows 7 x32 SP1 with IE 10 32 bits (Flash 16.0.0.296)
- Windows 7 x32 SP1 with IE 11 32 bits (Flash 16.0.0.296)
- Windows 7 x64 SP1 with IE 8 32 bits (Flash 16.0.0.296)
- Windows 8.1 x32 Release 3 with IE 11 32 bits (Flash 16.0.0.296) (Needs HTTP MOSDEF enabled)
- Firefox 37.0.2 (Flash 16.0.0.296) (needs sandbox bypass)

Usage:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_domainMemory_uaf -O auto_detect_exploits:0
python commandlineInterface.py -v 17 -p5555

VersionsAffected: 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows
Repeatability: One-shot
References: [‘https://www.trustwave.com/Resources/SpiderLabs-Blog/A-New-Zero-Day-of-Adobe-Flash-CVE-2015-0313-Exploited-in-the-Wild/’]
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0313
Date public: 02/02/2015