- #Adobe shockwave player 12.3 movie
- #Adobe shockwave player 12.3 code
- #Adobe shockwave player 12.3 windows
That provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is maintained by Offensive Security, an information security training company
#Adobe shockwave player 12.3 windows
PS 2 : itís possible to exploit this vulnerability on modern windows like Vista/7 too and itís up to readers Ö PS 1 : this vulnerability is not patched bug released by ZDI The sample + exploit are tested on patched windows XP service pack 3. In our test sample we used 0a0a0a0a as both base range of heap spray and nopslides because 0a0a opcode is an OR instruction on some unimportant registers. and we can use other opcodes as nopslides that doesnít have any effect. To control the 4 bytes EAX register in our exploit we manipulated 4bytes at offset 4C4B of the file to value FFF00267.Īn important hint here is that because we call the indirect pointer the EIP is set to nops itself.Īs you know, so an EIP of 90909090 is invalid. So here by abusing javascript we can use old-school heap spray technic to fill memory with nops+shellcode and call to this range. Value of offset 28h of the structure that is unknown is set in ECX register and finally an indirect call to the 'ECX+EAX*24+20h' is done.īecause result of EAX*24 is a large value and we have complete control on EAX register we can almost control first byte of our indirect call pointer without the need of ECX register.įor exploitation purpose because we don't have a fixed address in our call we cannot control the execution flow to an exact value but we can jump to a specific range because we have control on first bytes of the pointer of indirect call. text:68122A5C call dword ptr -> controllableĮAX register is set with second argument that we have control on it and ESI is first argument of the function and is a pointer to a dynamic allocated structure in heap. By manipulating the argument in rcsL chunk we reach to an indirect call that is based on our arguments: In the above function we have direct control on the second argument of the function. The 4bytes so called value can be manipulated to reach the vulnerable part of function 68122990.
#Adobe shockwave player 12.3 movie
There is a 4bytes value in the undocumented rcsL chunk in our sample director movie and it may be possible to find similar rcsL chunks in other director samples. Some of the chunk identifiers are tSAC, pami, rcsL.īy help of our simple fuzzer we have manipulated a director movie file and found a vulnerability in part of an existing rcsL chunk.
![adobe shockwave player 12.3 adobe shockwave player 12.3](http://sonraid.ru/wp-content/uploads/2018/05/Adobe-Flash-Player-29.0.0.171.png)
And subsequently chunks come together with format of 4byte chunk identifier + size of chunk + data. RIFF formats start with a 4byte RIFX identifier and length of the file. DIR file format is based on RIFF based formats. Director movies have DIR or compressed format of DCR. Shockwave player is a plug in for loading Adobe Director video files in to the browser.
#Adobe shockwave player 12.3 code
Impact - Successfully exploiting this issue allows remote attackers to execute arbitrary code or cause denial-of-service conditions. Version : Adobe Shockwave player 11.5.8.612 (latest on writing time)Ĭontact : shahin, info Ĭlass - Memory corruption allow command execute Title : Adobe Shockwave player rcsL chunk memory corruption