Jump to content
Byte-ul

Adobe Flash Player Exploit - AS3 opaqueBackground UAF

By Byte-ul, in Exploituri

Recommended Posts

Byte-ul Newbie

Byte-ul

Posted
Posted (edited)

The UaF memory coruption exists inside the AS3 "opaqueBackground" property

setter of the flash.display.DisplayObject class.

DisplayObject - Adobe ActionScript® 3 (AS3 ) API Reference

The DisplayObject source code is not published like the core AS3 classes, so

you have to view opaqueBackground setter in your disassembler.

Affected: Adobe Flash Player 9+ 32/64-bit (since Jun 2006)

Testing:

Open the test "calc.htm" file in your browser and press the button.

on Windows:

Calc.exe should be popped on desktop IE.

Calc.exe should be run as a non-GUI child process in metro IE.

Payload returns 0 from CreateProcessA("calc.exe") inside Chrome/FF sandbox.

You can run Chrome with the --no-sandbox switch to pop the calc.

on OS X:

Calculator is launched in FF or standalone Flash Player projector.

Payload returns 1 from vfork() in Safari/Chrome sandbox (see console logs).

Download: Adobe exp 1.rar

Pass: 123456789

Edited by Byte-ul
  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...