Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The following crash was observed in Flash Player 17.0.0.188 on Windows:
(81c.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050216
Flash32_17_0_0_188+0x18cb:
07a218cb ff6004 jmp dword ptr [eax+0x4] ds:0023:3739700a=????????
- The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.
- The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.
- The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.
- The test case minimizes to an 11-bit difference from the original sample file.
- The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37875.zip