Adobe Flash Player 11.5.502.135 – Crash (PoC)

• Exploit Database
• 37 阅读

• 作者： coolkaveh
  日期： 2012-12-18
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/23469/

• Title:Adobe Flash Player 11,5,502,135 memory corruption
  Version:11,5,502,135
  Date :2012-12-17
  Vendor :http://www.adobe.com/
  Impact :High
  Contact:coolkaveh [at] rocketmail.com
  Twitter:@coolkaveh
  tested :Internet Explorer 8 Windows 7 
  Author :coolkaveh
  ###########################################################################################################
  Bug :
  The vulnerability cause a Memory corruption via a specially
  crafted Flv files.
  Successful exploits can allow attackers to execute arbitrary code
  ###########################################################################################################
  900.c80): Access violation - code c0000005 (!!! second chance !!!)
  eax=00000000 ebx=02fefd38 ecx=00000000 edx=ffffffff esi=03230000 edi=02fefd3c
  eip=01953095 esp=02fefc2c ebp=02fefd48 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00200246
  Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf:
  01953095 0fbf1456movsx edx,word ptr [esi+edx*2] ds:0023:0322fffe=????
  
  Exception Faulting Address: 0x322fffe
  Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
  
  Faulting Instruction:01953095 movsx edx,word ptr [esi+edx*2]
  
  Basic Block:
  
  01953095 movsx edx,word ptr [esi+edx*2]
   Tainted Input Operands: edx, esi
  01953099 inc eax
  0195309a cmp dword ptr [ebp-0ch],1
  0195309e mov dword ptr [ebp+ecx*4-110h],edx
   Tainted Input Operands: edx
  019530a5 mov dword ptr [ebp+8],eax
  019530a8 jne flash32_11_5_502_135!dllunregisterserver+0x22d887 (0195305d)
  
  Exception Hash (Major/Minor): 0x1e0f6a3f.0x1e0f6a1c
  
  Stack Trace:
  Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf
  Flash32_11_5_502_135!DllUnregisterServer+0x22c4e7
  Flash32_11_5_502_135!DllUnregisterServer+0x22c8e7
  Flash32_11_5_502_135!DllUnregisterServer+0x22ceca
  Flash32_11_5_502_135+0x19f324
  Flash32_11_5_502_135+0x19f36a
  Flash32_11_5_502_135+0x19fd15
  Flash32_11_5_502_135!DllUnregisterServer+0x48ff3
  Flash32_11_5_502_135!DllUnregisterServer+0x49072
  Instruction Address: 0x0000000001953095
  
  ###########################################################################################################
  Proof of concept included.
  
  http://www48.zippyshare.com/v/64875465/file.html
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23469.rar