73 lines
No EOL
1.5 KiB
Text
73 lines
No EOL
1.5 KiB
Text
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: Unity 3D web player
|
|
http://unity3d.com/webplayer/
|
|
Versions: <= 3.2.0.61061
|
|
Platforms: Windows
|
|
Bug: heap corruption
|
|
Exploitation: remote
|
|
Date: 21 Feb 2012
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bug
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
Unity 3d is a game engine used in various games and it's web player
|
|
allows to play these games (unity3d extension) also directly from the
|
|
web browser.
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2) Bug
|
|
======
|
|
|
|
|
|
Heap corruption caused by a negative 32bit size value which allows to
|
|
execute malicious code.
|
|
|
|
The provided proof-of-concept is not optimized but should show a write4
|
|
and, (tested on Firefox) EIP pointing to an invalid memory zone.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/unity3d_1.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18512.zip
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix.
|
|
|
|
|
|
####################################################################### |