Byte-ul Posted July 11, 2015 Report Share Posted July 11, 2015 (edited) The UaF memory coruption exists inside the AS3 "opaqueBackground" propertysetter of the flash.display.DisplayObject class.DisplayObject - Adobe ActionScript® 3 (AS3 ) API ReferenceThe DisplayObject source code is not published like the core AS3 classes, soyou have to view opaqueBackground setter in your disassembler.Affected: Adobe Flash Player 9+ 32/64-bit (since Jun 2006)Testing:Open the test "calc.htm" file in your browser and press the button.on Windows:Calc.exe should be popped on desktop IE.Calc.exe should be run as a non-GUI child process in metro IE.Payload returns 0 from CreateProcessA("calc.exe") inside Chrome/FF sandbox.You can run Chrome with the --no-sandbox switch to pop the calc.on OS X:Calculator is launched in FF or standalone Flash Player projector.Payload returns 1 from vfork() in Safari/Chrome sandbox (see console logs).Download: Adobe exp 1.rarPass: 123456789 Edited July 11, 2015 by Byte-ul 1 Quote Link to comment Share on other sites More sharing options...
