扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
Source: https://code.google.com/p/google-security-research/issues/detail?id=363&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id The following access violation was observed in the Adobe Flash Player plugin: (1ba8.1c60): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found.Defaulted to export symbols for FlashPlayer.exe - eax=0004c800 ebx=00000000 ecx=08982000 edx=00002588 esi=00001200 edi=0042d46c eip=017723c0 esp=0042d278 ebp=0042d3c4 iopl=0 nv up ei pl nz na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00210206 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0: 017723c0 8b0408mov eax,dword ptr [eax+ecx] ds:002b:089ce800=???????? 0:000> kb ChildEBP RetAddrArgs to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0042d3c4 0177cfaf 0042d3e0 0042d46c 00000001 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0 0042d3ec 0177d112 0042d414 0042d46c 00001376 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x300df 0042d424 0177d4c2 0042d454 0042d46c 00000006 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x30242 0042d4e0 0176ec7a 00000000 0042d540 03497440 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x305f2 0042d544 01788715 08875020 47535542 6c61746e FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x21daa 0042d7d8 01775c95 0042d814 01775f31 01775f41 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x3b845 0042d7e0 01775f31 01775f41 03497440 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x28dc5 0042d828 017834d2 03497440 00000000 00000030 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x29061 00000000 00000000 00000000 00000000 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x36602 0:000> db ecx 0898200035 00 00 00 01 00 00 00-00 00 00 00 00 00 00 ff5............... 0898201000 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00................ 0898202080 a4 b7 01 00 00 00 00-00 00 00 00 00 10 00 00................ 0898203000 00 00 00 18 a8 b7 01-20 50 87 08 00 00 00 00........ P...... 0898204003 30 02 00 49 00 00 00-01 00 00 00 00 00 00 00.0..I........... 0898205000 00 00 ff 00 00 00 00-00 00 00 00 01 00 00 00................ 0898206000 00 00 00 80 a4 b7 01-00 00 00 00 00 00 00 00................ 0898207000 10 00 00 00 00 00 00-18 a8 b7 01 20 50 87 08............ P.. 0:000> !address ecx [...] Usage:<unknown> Base Address: 08906000 End Address:08990000 Region Size:0008a000 State:00001000 MEM_COMMIT Protect:00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base:087f0000 Allocation Protect: 00000001 PAGE_NOACCESS Notes: - Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows. - The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ECX". - The 32-bit value read from the unmapped memory address is in fact a pointer, and is used to immediately read 12 bytes from in one function up the call chain. - Attached samples: signal_sigsegv_7ffff710e9d3_881_11431348555663755408.ttf.swf (crashing file), 11431348555663755408.ttf.swf (original file). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37858.zip |
体验盒子
