| Name | adobe_flash_valueof |
| CVE | CVE-2015-5119 |
| Exploit Pack | CANVAS |
| Description | adobe_flash_valueof |
| Notes | CVE Name: CVE-2015-5119 VENDOR: Adobe Notes: Tested on: - Windows 7 x86/x64 IE(32/64) 8, 9, 11 This module exploits a use after free vulnerability on Adobe Flash Player. When you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object's ValueOf function The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called. IMPORTANT: You need to setup a WIN64 MOSDEF INTEL listener in order for the callback process to work, as the InjectToSelf shellcode doesn't support Universal MOSDEF yet. Usage: python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_valueof -O auto_detect_exploits:0 python commandlineInterface.py -v 17 -p5555 VersionsAffected: Adobe Flash Player > 9 and before 18.0.0.194 on Windows Repeatability: One-shot References: ['http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'] CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |