Name | adobe_flash_copypixelstobytearray |
CVE | CVE-2014-0556 |
Exploit Pack | CANVAS |
Description | adobe_flash_copypixelstobytearray |
Notes | CVE Name: CVE-2014-0556 VENDOR: Adobe Notes: This module exploits a heap based buffer overflow on Adobe Flash Player when copying data from a BitmapData object to a ByteArray object with the position attribute set near 0xffffffff. It corrupts a number vector's length to obtain arbitrary memory read and write. It bypasses ASLR leaking an object vector vtable pointer and builds the ROP dinamically. The x64 version of the exploits doesn't build the ROP dinamically as there doesn't seem to be a way to read the whole memory, arrays and bytearrays only support 32 bits indexes, so the maxium amount of memory we can read is 4GB. Also, you need to setup a WIN64 MOSDEF INTEL listener in order for the callback process to work, as the InjectToSelf shellcode doesn't support Universal MOSDEF yet. Tested on: Windows 7 x32 SP1 with IE 8 32 bits (Flash 14.0.0.145) Windows 7 x64 SP1 with IE 8 32 bits (Flash 14.0.0.145) Windows 7 x64 SP1 with IE 8 64 bits (Flash 14.0.0.145) Usage: python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_regexp -O auto_detect_exploits:0 python commandlineInterface.py -v 17 -p5555 VersionsAffected: Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152 on Windows Repeatability: One-shot References: ['http://googleprojectzero.blogspot.com.ar/2014/09/exploiting-cve-2014-0556-in-flash.html'] CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0556 Date public: 09/07/2014 |
Learn more about the CANVAS Exploit Pack here: CANVAS |