Adobe Flash – Pointer Crash in Drawing and Bitmap Handling

• Exploit Database
• 32 阅读

• 作者： Google Security Research
  日期： 2015-08-19
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/37866/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
  
  A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
  
  A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf
  
  The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf
  
  The crash on 64-bit Linux looks like this:
  
  => 0x00007f69314b8f7d:	cmpl $0xc,0x174(%rax)
  
  rax0x83071500ff0300	36881008741516032
  
  If we trace through the usages of %rax, we can get to some bad writes pretty easily:
  
  => 0x00007f69314b8f7d:	cmpl $0xc,0x174(%rax)
   0x00007f69314b8f84:	je 0x7f69314b8fa0
  ...
   0x00007f69314b8fa0:	mov(%rax),%rdi<-- rdi compromised
   0x00007f69314b8fa3:	callq0x7f69314b8810
  ...
   0x00007f69314b8810:	mov(%rsi),%edx
   0x00007f69314b8812:	cmp$0x7ffffff,%edx
   0x00007f69314b8818:	je 0x7f69314b8862
   0x00007f69314b881a:	mov0x10(%rdi),%eax
   0x00007f69314b881d:	cmp$0x7ffffff,%eax
   0x00007f69314b8822:	je 0x7f69314b8868
   0x00007f69314b8824:	sub$0x1,%edx
   0x00007f69314b8827:	cmp%eax,%edx
   0x00007f69314b8829:	cmovg%eax,%edx
   0x00007f69314b882c:	mov0x14(%rdi),%eax
   0x00007f69314b882f:	mov%edx,0x10(%rdi)<---- rdi written to
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37866.zip