Immunity Canvas: ADOBE_FLASH_VALUEOF

Tested on:
- Windows 7 x86/x64 IE(32/64) 8, 9, 11

This module exploits a use after free vulnerability on Adobe Flash Player.
When you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object’s ValueOf function
The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function
If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called.

IMPORTANT:

You need to setup a WIN64 MOSDEF INTEL listener in order for the callback
process to work, as the InjectToSelf shellcode doesn’t support Universal MOSDEF
yet.

Usage:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_valueof -O auto_detect_exploits:0
python commandlineInterface.py -v 17 -p5555

VersionsAffected: Adobe Flash Player > 9 and before 18.0.0.194 on Windows
Repeatability: One-shot
References: [‘http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/’]
CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119