Thursday, October 28, 2010

New Adobe 0day (bug in flash player),CVE-2010-3654

New bug, successful exploitation of latest adobe reader and flash player

Remotely exploitable.

Adobe confirms exploit

Bug exist in authplay.dll

Already vulnerability actively exploited in the wild against Adobe Reader.
Look at Mila's Blog:

Exploit from the wild successful works under Adobe Reader 9.4.0 on windows xp.
pdf size 241,679 bytes.

Swf file size -22,946 bytes.

swf decompiled looks like

this is curvedPolygon.
possibly related to

Exploit use js heap spray

source code of heap spray
nop slide 0x58585858
exploit feel memory as showed in image

Exploit use ROP technic to allocate memory end copy shellcode.

shellcode drops in %temp% directory
~.exe , ~temp.bat, pdf named same as pdf.

dropped files are located here
Password is "infected" .

to be continued ...


  1. Does disabling JavaScript mitigate this?

  2. What did you use to decompile the swf? The output looks much cleaner than swfdump. I'm just guessing but did you convert the swf to a fla then use a tool to decompile the fla file rather than a swf?

  3. to AmazonOps: no disabling JavaScript didn't help to prevent vulnerability, you should delete flash player and authplay.dll.
    Look at adobe advisory.

  4. to Alexander Hanel:
    I use Flash Decompiler Trilix.