Tuesday, April 12, 2011

CVE-2011-0611 Adobe Flash Zero Day embeded in DOC

information about new zero day in adobe flash player :
http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html
http://www.adobe.com/support/security/advisories/apsa11-02.html

Filename: Disentangling Industrial Policy and Competition Policy.doc
Size:176,144 bytes


My analysis of  Disentangling Industrial Policy and Competition Policy.doc
 
File created 04-Apr-2011 9:50 , by user 7 , and company hust

There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.


embeded swf file(local name d:\513.swf)
size 10,421 bytes
decoded action  script


this is heap spray, allocate memory with nop slide=0x11111111.
and load second swf file.

second swf
size 1,484 bytes


SWFTools>swfdump.exe -D 1.swf
[HEADER]        File version: 10
[HEADER]        File size: 1484
[HEADER]        Frame rate: 24.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 550.00
[HEADER]        Movie height: 400.00
[045]         4 FILEATTRIBUTES
[00c]      1447 DOACTION
GetU8() out of bounds: TagID = 12

flasm16win>flasm.exe -d 1.swf
movie '1.swf' // flash 10, total frames: 1, frame rate: 24 fps, 550x400 px
frame 0
00000000    push FALSE, 326943637, 326943739
0000000F    oldEquals
00000010    not
00000011    branchIfTrue label2 // offset 1100
00000016    branchIfTrue label1 // offset 24
0000001B    constants 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I'  Declared constant pool length 21 differs from calculated length 20

Disassembly may be incomplete: wrong action length encountered
          end // of frame 0
end

crash exist in Adobe Flash Player plugin .
in my test NPSWF32.dll (10.2.153.1)
crash at location 100cfc03


this possibly related to tweet :
Yuange

call [0x11111110+0x08]
to be continue ...

2 comments:

  1. I am trying this code, but sorry it's didn't work. Can you give me solution for this. Thanks for it.

    ReplyDelete
  2. HI,
    Can you give me solution for this.I loved all of these posts. A lot of these things we have, but I got some really great ideas.

    ReplyDelete