Rapid7 Vulnerability & Exploit Database

Adobe Flash Player AVM Bytecode Verification Vulnerability

Back to Search

Adobe Flash Player AVM Bytecode Verification Vulnerability

Disclosed
03/15/2011
Created
05/30/2018

Description

This module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for the RSA attack in March 2011. Specifically, this issue results in uninitialized memory being referenced and later executed. Taking advantage of this issue relies on heap spraying and controlling the uninitialized memory. Currently this exploit works for IE6, IE7, and Firefox 3.6 and likely several other browsers. DEP does catch the exploit and causes it to fail. Due to the nature of the uninitialized memory its fairly difficult to get around this restriction.

Author(s)

  • bannedit <bannedit@metasploit.com>
  • Unknown

Platform

Windows

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/adobe_flashplayer_avm
msf exploit(adobe_flashplayer_avm) > show targets
    ...targets...
msf exploit(adobe_flashplayer_avm) > set TARGET < target-id >
msf exploit(adobe_flashplayer_avm) > show options
    ...show and set options...
msf exploit(adobe_flashplayer_avm) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;