[Snort-sigs] Snort Rule
rmkml at ...174...
Mon Oct 27 06:09:48 EDT 2014
Maybe this url ?
This exploit involves Adobe Flash player regex handling buffer overflow.
The attacker overwrites the length of a Vector.<Number> object, and then
reads more memory content to get base address of flash.ocx.
Here’s how the exploit works:
Set up a continuous memory layout by allocating the following objects”:13
Free the <Number> object at index 1 of the above objects as follows:
obj = null;
Allocate the new RegExp object. This allocation reuses memory in the obj position as follows:
boom = "(?i)()()(?-i)||||||||||||||||||||||||";
var trigger = new RegExp(boom, "");
Later, the malformed expression overwrites the length of a Vector.<Number>
object in obj to enlarge it. With a corrupted size, the attacker can
use obj to read from or write to memory in a huge region to locate the
flash.ocx base address and overwrite a vftable to execute the payload.
On Mon, 27 Oct 2014, Nicholas Horton wrote:
> Anyone have the info for Snort ID 1:16400:8 ?
More information about the Snort-sigs