Adobe Flash Player 11,5,502,135 memory corruption

vendor:

Flash Player

by:

coolkaveh

CVSS

HIGH

Memory Corruption

119

CWE

Product Name: Flash Player

Affected Version From: 11,5,502,135

Affected Version To: 11,5,502,135

Patch Exists: YES

Related CWE: N/A

CPE: a:adobe:flash_player:11.5.502.135

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Internet Explorer 8 Windows 7

2012

Adobe Flash Player 11,5,502,135 memory corruption

The vulnerability cause a Memory corruption via a specially crafted Flv files. Successful exploits can allow attackers to execute arbitrary code.

Mitigation:

Update to the latest version of Adobe Flash Player

Source

Exploit-DB raw data:

Title    :  Adobe Flash Player 11,5,502,135 memory corruption
Version  :  11,5,502,135
Date     :  2012-12-17
Vendor   :  http://www.adobe.com/
Impact   :  High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  Internet Explorer 8 Windows 7 
Author   :  coolkaveh
###########################################################################################################
Bug :
The vulnerability cause a Memory corruption via a specially
crafted Flv files.
Successful exploits can allow attackers to execute arbitrary code
###########################################################################################################
900.c80): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=02fefd38 ecx=00000000 edx=ffffffff esi=03230000 edi=02fefd3c
eip=01953095 esp=02fefc2c ebp=02fefd48 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf:
01953095 0fbf1456        movsx   edx,word ptr [esi+edx*2] ds:0023:0322fffe=????

Exception Faulting Address: 0x322fffe
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Faulting Instruction:01953095 movsx edx,word ptr [esi+edx*2]

Basic Block:

    01953095 movsx edx,word ptr [esi+edx*2]
       Tainted Input Operands: edx, esi
    01953099 inc eax
    0195309a cmp dword ptr [ebp-0ch],1
    0195309e mov dword ptr [ebp+ecx*4-110h],edx
       Tainted Input Operands: edx
    019530a5 mov dword ptr [ebp+8],eax
    019530a8 jne flash32_11_5_502_135!dllunregisterserver+0x22d887 (0195305d)

Exception Hash (Major/Minor): 0x1e0f6a3f.0x1e0f6a1c

Stack Trace:
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf
Flash32_11_5_502_135!DllUnregisterServer+0x22c4e7
Flash32_11_5_502_135!DllUnregisterServer+0x22c8e7
Flash32_11_5_502_135!DllUnregisterServer+0x22ceca
Flash32_11_5_502_135+0x19f324
Flash32_11_5_502_135+0x19f36a
Flash32_11_5_502_135+0x19fd15
Flash32_11_5_502_135!DllUnregisterServer+0x48ff3
Flash32_11_5_502_135!DllUnregisterServer+0x49072
Instruction Address: 0x0000000001953095

###########################################################################################################
Proof of concept included.

http://www48.zippyshare.com/v/64875465/file.html
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23469.rar