CVE-2015-3081

Adobe Flash Player <13.0.0.289-17.0.0.188 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-3081. PoCs published by KeenTeam.

AI-analyzed exploit summary This exploit leverages a TOCTOU (Time-of-Check Time-of-Use) race condition in FlashBroker's BrokerMoveFileEx method to bypass Internet Explorer Protected Mode via an NTFS junction attack, allowing arbitrary file writes to the filesystem. The PoC demonstrates writing a calc.bat file to the startup folder, tested on Adobe Flash Player 16.0.0.305.

Description

Race condition in Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allows attackers to bypass the Internet Explorer Protected Mode protection mechanism via unspecified vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED

by KeenTeam · textremotewindows

https://www.exploit-db.com/exploits/37842

View Code ZIP pw:eip

This exploit leverages a TOCTOU (Time-of-Check Time-of-Use) race condition in FlashBroker's BrokerMoveFileEx method to bypass Internet Explorer Protected Mode via an NTFS junction attack, allowing arbitrary file writes to the filesystem. The PoC demonstrates writing a calc.bat file to the startup folder, tested on Adobe Flash Player 16.0.0.305.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Adobe Flash Player 16.0.0.305 with Internet Explorer on Windows 8.1

No auth needed

Prerequisites: Windows 8.1 with Internet Explorer in Protected Mode · Adobe Flash Player 16.0.0.305 installed · Ability to inject DLL into low integrity IE process

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 16, 2026 Full analysis →