Back to search

Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow

This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx component. When processing a MP4 file (specifically the Sequence Parameter Set), Flash will see if pic_order_cnt_type is equal to 1, which sets the num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in offset_for_ref_frame on the stack, which allows arbitrary remote code execution under the context of the user. Numerous reports also indicate that this vulnerability has been exploited in the wild.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/windows/browser/adobe_flash_sps

Authors

  • Alexander Gavrun
  • Abysssec
  • sinn3r <sinn3r [at] metasploit.com>

References

Targets

  • Automatic
  • IE 6 on Windows XP SP3
  • IE 7 on Windows XP SP3 / Vista

Platforms

  • windows

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/adobe_flash_sps msf exploit(adobe_flash_sps) > show targets ...targets... msf exploit(adobe_flash_sps) > set TARGET <target-id> msf exploit(adobe_flash_sps) > show options ...show and set options... msf exploit(adobe_flash_sps) > exploit

Related Vulnerabilities