Exploit Adobe Flash - Pointer Crash in XML Handling

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
37870
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
LINUX
CVE
cve-2015-5548
Дата публикации
2015-08-19
Adobe Flash - Pointer Crash in XML Handling
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=400&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.

The crash looks like this on Linux x64:

=> 0x00007f6931226f22:	mov    0x8(%rcx),%eax
rcx            0x303030303030300	217020518514230016

The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:

=> 0x00007f6931226f22:	mov    0x8(%rcx),%eax    <--- read
   0x00007f6931226f25:	test   %eax,%eax
   0x00007f6931226f27:	je     0x7f6931226f80
   0x00007f6931226f29:	test   $0x40000000,%eax
   0x00007f6931226f2e:	jne    0x7f6931226f80
   0x00007f6931226f30:	add    $0x1,%eax         <--- increment
   0x00007f6931226f33:	cmp    $0xff,%al
   0x00007f6931226f35:	mov    %eax,0x8(%rcx)    <--- write back

The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37870.zip
 
Источник
www.exploit-db.com

Похожие темы