Adobe Flash Player and AIR AVM2 intf_count Integer Overflow Remote Code Execution
Page 1 of 1
Adobe Flash Player and AIR AVM2 intf_count Integer Overflow Remote Code Execution
Since the out of bounds object contains arbitrary values, the attacker may spray the heap so he/she would have control over ArbitraryObjectA and ArbitraryObjectB (they would be located at addresses which contain data controlled by the attacker). This may allow him/her to pass all aforementioned conditions and also control the value which is written in the arbitrary memory MOV and the target of it. Achieving this may allow him the execute arbitrary code.
During the research of this vulnerability I’ve managed to create a functional exploit (demo: https://www.youtube.com/watch?v=wJb6a-J3i4c).
It should also be denoted that the vulnerable code is wrapped by an SEH handler which doesn't crash the application on Access Violation. This means that the exploitation process may try different base addresses and offsets in case of a failure.
During the research of this vulnerability I’ve managed to create a functional exploit (demo: https://www.youtube.com/watch?v=wJb6a-J3i4c).
It should also be denoted that the vulnerable code is wrapped by an SEH handler which doesn't crash the application on Access Violation. This means that the exploitation process may try different base addresses and offsets in case of a failure.
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» Another 0day exploit in Adobe Flash player
» Adobe Flash Player Invalid Loader Object Reference Vulnerability
» Safari Integer Overflow Aids Inter Protocol Exploitation
» Code execution through SQL Injection
» Code execution via shortcuts in Microsoft Windows
» Adobe Flash Player Invalid Loader Object Reference Vulnerability
» Safari Integer Overflow Aids Inter Protocol Exploitation
» Code execution through SQL Injection
» Code execution via shortcuts in Microsoft Windows
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|