Tuesday, March 15, 2011

CVE-2011-0609 - Adobe Flash Player ZeroDay

First information about new zero day in adobe flash player was published 03/11/2010 at

Then after 3 days Adobe confirmed bug and released advisory

Filename: crsenvironscan.xls
Size:126,444 bytes
MD5 Hash: 4BB64C1DA2F73DA11F331A96D55D63E2

My analysis of  crsenvironscan.xls
There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.

1) There are embeded swf
(target file name f:\sm.swf)

This swf provide heap spray and then load second swf
view source code

it allocates memory
NOP Slide =14141414

then loads second swf.

2) second.swf consist bug

File created possibly by using a fuzzer from

looks like there are bugs exist when flash player attempts to parse a swf file.
Unknown opcode 152.
Unknown opcode 84. 
(detailed analysis will be provided soon) 
3) Shellcode
this is EmbededExec shellcode,not encrypted.
decompiled shellcode 
Shellcode search for exe between
       cmp     dword ptr [eax], 47422E43h
       cmp     dword ptr [eax+4], 19890604h
hex code "432e424704068919" and
      cmp     dword ptr [eax], 4B635546h
      cmp     dword ptr [eax+4], 19820424h 
hex code "4655634b24048219"

if point view on this
as for me, that looks like some string and date

C.GB  1989/06/04    -  it may mean 1989-06-04 Tiananmen, Beijing, China

FucK 1982/04/24    - ?

If you have any ideas, post in comments

Encryption of exe is interesting. 
First 4 bytes of exe header writed from shellcode
then encrypted date decrypts using this algo
 where eax - size of exe
       xor     [ebx], al
       inc     ebx
       dec     eax
       inc     ebx
       dec     eax
       cmp     eax, 0 
       jmp  decrypt
This is for the first time I see such encryption in exploits found in the wild.
This is used to bypass scanners, which searches for the exe header.
4) Exe 
size 46,048 bytes
MD5: 1e09970c9bf2ca08ee48f8b2e24f6c44
Download Payload File   a.exe 
pass: infected  Virustotal 0/43

Information from PEiD InstallShield AFW [CAB SFX]

Sample download link
password : infected

Other samples you can get from Mila Parkour site:


  1. http://www.savetibet.org/policy-center/chronology-tibetan-chinese-relations-1979-2008

    April 24, 1982 - A high level Tibetan delegation arrives in Beijing to hold exploratory talks with Chinese officials. The delegation, composed of P.T. Taklha, Juchen Thubten Namgyal and Lodi Gyari, made no substantive headway.

  2. April 24, 1982 - Initial Release and Review date of "Chan is Missing" the first movie to be released in the United States about Chinese Americans living in Chinatown San Fransisco (Director Wayne Wang). Haven't seen it but reviews suggest it is offensive to some.

  3. from twitter:
    yuange1975 Yuange
    @villys777 19820424 is the birthday of my friend. btw, shellcode contains a error where jnz should be jmp after free-ing a heap.

  4. crsenvironscan.xls download link?

  5. samples download link, will be provided after adobe patch.

  6. Dear Villay, i tried to execute above sample (CVE 2010-0609) but it is not working

  7. Excellent goods from you, man. I have understood your stuff previous to and you're just extremely great. I actually like what you have acquired here, really like what you’re saying and the way in which you say it. You make it enjoyable and you still care for} to keep sensible.

    EV SSL | Wildcard SSL Certificate

  8. Interactive home security systems from Protection Concepts based in Marietta and serving Atlanta, Georgia. Monitoring starts at $14.95 a month.

    Atlanta Security provider

  9. Removewat is my fav one in computers category..please share it :)

    1. Hello Zubair!! removewat 2.2.9 is also my fvrt but me use also latest one ;)

  10. Please also share about Removewat ..Waiting :)

    1. you can easily download removewat here and if you need this latest tool then download Latest version of removewat 2.2.9 from here Enjoy!!!!

  11. Should you be thinking of writing a blog, this information has some good concepts to assist you make something great. Regardless of whether you need to make money with it, or simply just communicate with your loved ones, operating a blog might be a wonderful approach to conversation. Read on to understand how to make the most of your running a blog practical experience.

  12. Hello just wanted to give you a quick heads up and let you know a few of the images aren’t loading correctly.
    I’m not sure why but I think its a linking issue.


    1. Hello just wanted to give you a quick heads up and let you know a few of the images aren’t loading correctly.
      I’m not sure why but I think its a linking issue

      IDM 6.21 Full Crack

  13. I am ?egular reader in your blog, how are you everybody? This piece of writing posted
    at this web page is truly pleasant.

    Corel AfterShot Crack

  14. I am actually happy to read this webpage posts which carries
    tons of useful data, thanks for providing these kinds
    of data. Thanks for sharing. . . . . . .

  15. Thanks for your nice article. Please keep sharing in the future!
    happy wheels
    car games

  16. Thank you so much for this article. I've been finding it :) It will helps me much. I hope to see more and more posts of yours in the future :)
    car parking games | car games | game online | starcraft web | starcraft online | starcraft html5 | starcraft