Friday, October 29, 2010

Firefox Exploit (CVE-2010-3765)

Bug patched at firefox 3.6.12 .
Update your browser !

Firefox exploit from the wild

working on windows xp firefox version 3.6.8 - 3.6.11

source code of exploit

virustotal scan results

Thursday, October 28, 2010

New Adobe 0day (bug in flash player),CVE-2010-3654

New bug, successful exploitation of latest adobe reader and flash player

Remotely exploitable.

Adobe confirms exploit

Bug exist in authplay.dll

Already vulnerability actively exploited in the wild against Adobe Reader.
Look at Mila's Blog:

Exploit from the wild successful works under Adobe Reader 9.4.0 on windows xp.
pdf size 241,679 bytes.

Swf file size -22,946 bytes.

swf decompiled looks like

this is curvedPolygon.
possibly related to

Exploit use js heap spray

source code of heap spray
nop slide 0x58585858
exploit feel memory as showed in image

Exploit use ROP technic to allocate memory end copy shellcode.

shellcode drops in %temp% directory
~.exe , ~temp.bat, pdf named same as pdf.

dropped files are located here
Password is "infected" .

to be continued ...