扫码分享
验证:
体验盒子Source: https://code.google.com/p/google-security-research/issues/detail?id=400&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
The crash looks like this on Linux x64:
=> 0x00007f6931226f22: mov0x8(%rcx),%eax
rcx0x303030303030300 217020518514230016
The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:
=> 0x00007f6931226f22: mov0x8(%rcx),%eax<--- read
0x00007f6931226f25: test %eax,%eax
0x00007f6931226f27: je 0x7f6931226f80
0x00007f6931226f29: test $0x40000000,%eax
0x00007f6931226f2e: jne0x7f6931226f80
0x00007f6931226f30: add$0x1,%eax <--- increment
0x00007f6931226f33: cmp$0xff,%al
0x00007f6931226f35: mov%eax,0x8(%rcx)<--- write back
The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37870.zip
体验盒子
