Adobe Flash – URL Resource Use-After-Free

• Exploit Database
• 20 阅读

• 作者： Google Security Research
  日期： 2015-08-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37875/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
  
  The following crash was observed in Flash Player 17.0.0.188 on Windows:
  
  (81c.854): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
  eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0 nv up ei pl nz ac po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00050216
  Flash32_17_0_0_188+0x18cb:
  07a218cb ff6004 jmp dword ptr [eax+0x4] ds:0023:3739700a=????????
  
  - The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.
  
  - The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.
  
  - The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.
  
  - The test case minimizes to an 11-bit difference from the original sample file.
  
  - The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37875.zip