Adobe Flash Player 11.5.502.135 - Crash (PoC)

EDB-ID:

23469

CVE:


EDB Verified:

Author:

coolkaveh

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2012-12-18

Vulnerable App: 
Title    :  Adobe Flash Player 11,5,502,135 memory corruption
Version  :  11,5,502,135
Date     :  2012-12-17
Vendor   :  http://www.adobe.com/
Impact   :  High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  Internet Explorer 8 Windows 7 
Author   :  coolkaveh
###########################################################################################################
Bug :
The vulnerability cause a Memory corruption via a specially
crafted Flv files.
Successful exploits can allow attackers to execute arbitrary code
###########################################################################################################
900.c80): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=02fefd38 ecx=00000000 edx=ffffffff esi=03230000 edi=02fefd3c
eip=01953095 esp=02fefc2c ebp=02fefd48 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf:
01953095 0fbf1456        movsx   edx,word ptr [esi+edx*2] ds:0023:0322fffe=????

Exception Faulting Address: 0x322fffe
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Faulting Instruction:01953095 movsx edx,word ptr [esi+edx*2]

Basic Block:

    01953095 movsx edx,word ptr [esi+edx*2]
       Tainted Input Operands: edx, esi
    01953099 inc eax
    0195309a cmp dword ptr [ebp-0ch],1
    0195309e mov dword ptr [ebp+ecx*4-110h],edx
       Tainted Input Operands: edx
    019530a5 mov dword ptr [ebp+8],eax
    019530a8 jne flash32_11_5_502_135!dllunregisterserver+0x22d887 (0195305d)

Exception Hash (Major/Minor): 0x1e0f6a3f.0x1e0f6a1c

Stack Trace:
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf
Flash32_11_5_502_135!DllUnregisterServer+0x22c4e7
Flash32_11_5_502_135!DllUnregisterServer+0x22c8e7
Flash32_11_5_502_135!DllUnregisterServer+0x22ceca
Flash32_11_5_502_135+0x19f324
Flash32_11_5_502_135+0x19f36a
Flash32_11_5_502_135+0x19fd15
Flash32_11_5_502_135!DllUnregisterServer+0x48ff3
Flash32_11_5_502_135!DllUnregisterServer+0x49072
Instruction Address: 0x0000000001953095

###########################################################################################################
Proof of concept included.

http://www48.zippyshare.com/v/64875465/file.html
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23469.rar
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services