| Name | adobe_flash_domainMemory_uaf |
| CVE | CVE-2015-0313 |
| Exploit Pack | CANVAS |
| Description | adobe_flash_domainMemory_uaf |
| Notes | CVE Name: CVE-2015-0313 VENDOR: Adobe Notes: This module exploits a use-after free vulnerability on the Flash handling of the ApplicationDomain.currentDomain.domainMemory when working with worker threads. When a worker thread clears the domainMemory ByteArray, the ByteArray is freed but the main thread keeps a reference to the ByteArray. Exploitation is done by placing a Vector object on hole created while freeing the domainMemory ByteArray. By using memory intrinsic operations it is still possible to edit the domainMemory memory. This allows us to change the allocated vector's size to 0xffffffff allowing us to read and write arbitrary memory. It bypasses ASLR leaking an object vector vtable pointer and builds the ROP dinamically. Tested on: - Windows XP SP3 with IE 7 (Flash 16.0.0.296) - Windows 7 x32 SP1 with IE 8 32 bits (Flash 16.0.0.296) - Windows 7 x32 SP1 with IE 9 32 bits (Flash 16.0.0.296) - Windows 7 x32 SP1 with IE 10 32 bits (Flash 16.0.0.296) - Windows 7 x32 SP1 with IE 11 32 bits (Flash 16.0.0.296) - Windows 7 x64 SP1 with IE 8 32 bits (Flash 16.0.0.296) - Windows 8.1 x32 Release 3 with IE 11 32 bits (Flash 16.0.0.296) (Needs HTTP MOSDEF enabled) - Firefox 37.0.2 (Flash 16.0.0.296) (needs sandbox bypass) Usage: python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_domainMemory_uaf -O auto_detect_exploits:0 python commandlineInterface.py -v 17 -p5555 VersionsAffected: 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows Repeatability: One-shot References: ['https://www.trustwave.com/Resources/SpiderLabs-Blog/A-New-Zero-Day-of-Adobe-Flash-CVE-2015-0313-Exploited-in-the-Wild/'] CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0313 Date public: 02/02/2015 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |