Adobe Flash (Linux x64) - Bad Dereference at 0x23c

EDB-ID:

37868

CVE:

2015-5546

EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Linux_x86-64

Date:

2015-08-19

Vulnerable App: 
Source: https://code.google.com/p/google-security-research/issues/detail?id=398&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes in this way on my Linux x64 build (Flash v17.0.0.188):

=> 0x00007f693155bf58:	mov    (%rdi),%rbx
rdi            0x23c	572

At first glance this might appear to be a NULL dereference but sometimes it crashes trying to access 0xc8 and different builds have shown crashes at much wilder addresses, so there is probably a use-after-free or other non-deterministic condition going on. For example, our fuzzing cluster saw a crash at 0x400000001.

The base sample from which the fuzz case is derived is also attached.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37868.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services