Thursday, October 28, 2010

New Adobe 0day (bug in flash player),CVE-2010-3654

New bug, successful exploitation of latest adobe reader and flash player

Remotely exploitable.

Adobe confirms exploit

Bug exist in authplay.dll

Already vulnerability actively exploited in the wild against Adobe Reader.
Look at Mila's Blog:

Exploit from the wild successful works under Adobe Reader 9.4.0 on windows xp.
pdf size 241,679 bytes.

Swf file size -22,946 bytes.

swf decompiled looks like

this is curvedPolygon.
possibly related to

Exploit use js heap spray

source code of heap spray
nop slide 0x58585858
exploit feel memory as showed in image

Exploit use ROP technic to allocate memory end copy shellcode.

shellcode drops in %temp% directory
~.exe , ~temp.bat, pdf named same as pdf.

dropped files are located here
Password is "infected" .

to be continued ...


  1. Does disabling JavaScript mitigate this?

  2. What did you use to decompile the swf? The output looks much cleaner than swfdump. I'm just guessing but did you convert the swf to a fla then use a tool to decompile the fla file rather than a swf?

  3. to AmazonOps: no disabling JavaScript didn't help to prevent vulnerability, you should delete flash player and authplay.dll.
    Look at adobe advisory.

  4. to Alexander Hanel:
    I use Flash Decompiler Trilix.

  5. Thanks for this informative post! I really appreciated it :)

  6. This is an awesome blog about Growing Adobe service.
    We really appreciate and keep do posting such kind of blogs.

    Adobe Support

  7. I think it’s very helpful for every person. Nice post.
    Adobe Helpline Number UK

  8. Adobe earned the most title of best framework programming. It alters, changes over and signs PDF records. On the off chance that you come to confront any trouble while utilizing Adobe, our experts will control you at +44-800-090-3220 Adobe Help number UK against any of this specialized issue.