25 lines
No EOL
1.4 KiB
Text
25 lines
No EOL
1.4 KiB
Text
Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
|
|
|
|
The following crash was observed in Flash Player 17.0.0.188 on Windows:
|
|
|
|
(81c.854): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
|
|
eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0 nv up ei pl nz ac po nc
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050216
|
|
Flash32_17_0_0_188+0x18cb:
|
|
07a218cb ff6004 jmp dword ptr [eax+0x4] ds:0023:3739700a=????????
|
|
|
|
- The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.
|
|
|
|
- The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.
|
|
|
|
- The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.
|
|
|
|
- The test case minimizes to an 11-bit difference from the original sample file.
|
|
|
|
- The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37875.zip |