1. BACKGROUND
http://en.wikipedia.org/wiki/Adobe_Flash_Player


2. DESCRIPTION
The UaF memory coruption exists inside the AS3 "opaqueBackground" property
setter of the flash.display.DisplayObject class.
http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/display/DisplayObject.html#opaqueBackground

The DisplayObject source code is not published like the core AS3 classes, so
you have to view opaqueBackground setter in your disassembler.

TODO: low-level details.


3. AFFECTED SOFTWARE
Adobe Flash Player 9+ 32/64-bit (since Jun 2006)


4. TESTING
Open the test "calc.htm" file in your browser and press the button.

on Windows:
Calc.exe should be popped on desktop IE.
Calc.exe should be run as a non-GUI child process in metro IE.
Payload returns 0 from CreateProcessA("calc.exe") inside Chrome/FF sandbox.
You can run Chrome with the --no-sandbox switch to pop the calc.

on OS X:
Calculator is launched in FF or standalone Flash Player projector.
Payload returns 1 from vfork() in Safari/Chrome sandbox (see console logs).