【梅开二度】Trigger call valueOf2
// here we go, call the vulnerable setter_cnt = _arLen2-6;
_ar.opaqueBackground = _mc;
从第6节的set_opaqueBackground可以看到设置属性时会对参数调用
avmplus::AvmCore::integer进行转换时会调用valueOf函数,这里调用触发UAF,可以直接对set_opauebackgroud函数下断,跟踪avmplus::AvmCore::integer获取到valueOf的jit code
In valueOf2
http://cdn.u1.huluxia.com/g4/M00/00/DA/rBAAdl808i2AZcu9AAAy4JwL6Q0487.jpg
页:
[1]