Adobe Flash – Pointer Crash in XML Handling

• Exploit Database
• 105 阅读

• 作者： Google Security Research
  日期： 2015-08-19
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/37870/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

  Source: https://code.google.com/p/google-security-research/issues/detail?id=400&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id   The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.   The crash looks like this on Linux x64:   => 0x00007f6931226f22: mov0x8(%rcx),%eax rcx0x303030303030300 217020518514230016   The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:   => 0x00007f6931226f22: mov0x8(%rcx),%eax<--- read 0x00007f6931226f25: test %eax,%eax 0x00007f6931226f27: je 0x7f6931226f80 0x00007f6931226f29: test $0x40000000,%eax 0x00007f6931226f2e: jne0x7f6931226f80 0x00007f6931226f30: add$0x1,%eax <--- increment 0x00007f6931226f33: cmp$0xff,%al 0x00007f6931226f35: mov%eax,0x8(%rcx)<--- write back   The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf   Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37870.zip