Adobe Flash – Pointer Crash in Drawing and Bitmap Handling

• Exploit Database
• 98 阅读

• 作者： Google Security Research
  日期： 2015-08-19
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/37866/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

  Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id   A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.   A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf   The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf   The crash on 64-bit Linux looks like this:   => 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax)   rax0x83071500ff0300 36881008741516032   If we trace through the usages of %rax, we can get to some bad writes pretty easily:   => 0x00007f69314b8f7d: cmpl $0xc,0x174(%rax) 0x00007f69314b8f84: je 0x7f69314b8fa0 ... 0x00007f69314b8fa0: mov(%rax),%rdi<-- rdi compromised 0x00007f69314b8fa3: callq0x7f69314b8810 ... 0x00007f69314b8810: mov(%rsi),%edx 0x00007f69314b8812: cmp$0x7ffffff,%edx 0x00007f69314b8818: je 0x7f69314b8862 0x00007f69314b881a: mov0x10(%rdi),%eax 0x00007f69314b881d: cmp$0x7ffffff,%eax 0x00007f69314b8822: je 0x7f69314b8868 0x00007f69314b8824: sub$0x1,%edx 0x00007f69314b8827: cmp%eax,%edx 0x00007f69314b8829: cmovg%eax,%edx 0x00007f69314b882c: mov0x14(%rdi),%eax 0x00007f69314b882f: mov%edx,0x10(%rdi)<---- rdi written to   Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37866.zip