http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html
http://www.adobe.com/support/security/advisories/apsa11-02.html
Filename: Disentangling Industrial Policy and Competition Policy.doc
Size:176,144 bytes
My analysis of Disentangling Industrial Policy and Competition Policy.doc
File created 04-Apr-2011 9:50 , by user 7 , and company hust
There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.
embeded swf file(local name d:\513.swf)
size 10,421 bytes
decoded action script
this is heap spray, allocate memory with nop slide=0x11111111.
and load second swf file.
second swf
size 1,484 bytes
SWFTools>swfdump.exe -D 1.swf
[HEADER] File version: 10
[HEADER] File size: 1484
[HEADER] Frame rate: 24.000000
[HEADER] Frame count: 1
[HEADER] Movie width: 550.00
[HEADER] Movie height: 400.00
[045] 4 FILEATTRIBUTES
[00c] 1447 DOACTION
GetU8() out of bounds: TagID = 12
flasm16win>flasm.exe -d 1.swf
movie '1.swf' // flash 10, total frames: 1, frame rate: 24 fps, 550x400 px
frame 0
00000000 push FALSE, 326943637, 326943739
0000000F oldEquals
00000010 not
00000011 branchIfTrue label2 // offset 1100
00000016 branchIfTrue label1 // offset 24
0000001B constants 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I' Declared constant pool length 21 differs from calculated length 20
Disassembly may be incomplete: wrong action length encountered
end // of frame 0
end
crash exist in Adobe Flash Player plugin .
in my test NPSWF32.dll (10.2.153.1)
crash at location 100cfc03
this possibly related to tweet :
call [0x11111110+0x08]
to be continue ...
I am trying this code, but sorry it's didn't work. Can you give me solution for this. Thanks for it.
ReplyDeleteHI,
ReplyDeleteCan you give me solution for this.I loved all of these posts. A lot of these things we have, but I got some really great ideas.