PoC has written by Soroush Dalili (@irsdl)
Based on https://soroush.secproject.com/blog/2013/10/catch-up-on-flash-xss-exploitation-part-2-navigatetourl-and-jar-protocol/ (an old true story! - all those issues have been patched) - Demo was here
Flash "navigateToURL" local-with-filesystem protection bypass - tested in IE11
SecProject.com
IFrames:


Target IFrame:
Options:
Or a Custom Address:

+ Drop Box +