Adobe Flash Player 11,5,502,135 memory corruption



EKU-ID: 2892 CVE: OSVDB-ID:
Author: coolkaveh Published: 2012-12-18 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Title    :  Adobe Flash Player 11,5,502,135 memory corruption
Version  :  11,5,502,135
Date     :  2012-12-17
Vendor   :  http://www.adobe.com/
Impact   :  High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  Internet Explorer 8 Windows 7 
Author   :  coolkaveh
###########################################################################################################
Bug :
The vulnerability cause a Memory corruption via a specially
crafted Flv files.
Successful exploits can allow attackers to execute arbitrary code
###########################################################################################################
900.c80): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=02fefd38 ecx=00000000 edx=ffffffff esi=03230000 edi=02fefd3c
eip=01953095 esp=02fefc2c ebp=02fefd48 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf:
01953095 0fbf1456        movsx   edx,word ptr [esi+edx*2] ds:0023:0322fffe=????
 
Exception Faulting Address: 0x322fffe
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
 
Faulting Instruction:01953095 movsx edx,word ptr [esi+edx*2]
 
Basic Block:
 
01953095 movsx edx,word ptr [esi+edx*2]
Tainted Input Operands: edx, esi
01953099 inc eax
0195309a cmp dword ptr [ebp-0ch],1
0195309e mov dword ptr [ebp+ecx*4-110h],edx
Tainted Input Operands: edx
019530a5 mov dword ptr [ebp+8],eax
019530a8 jne flash32_11_5_502_135!dllunregisterserver+0x22d887 (0195305d)
 
Exception Hash (Major/Minor): 0x1e0f6a3f.0x1e0f6a1c
 
Stack Trace:
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf
Flash32_11_5_502_135!DllUnregisterServer+0x22c4e7
Flash32_11_5_502_135!DllUnregisterServer+0x22c8e7
Flash32_11_5_502_135!DllUnregisterServer+0x22ceca
Flash32_11_5_502_135+0x19f324
Flash32_11_5_502_135+0x19f36a
Flash32_11_5_502_135+0x19fd15
Flash32_11_5_502_135!DllUnregisterServer+0x48ff3
Flash32_11_5_502_135!DllUnregisterServer+0x49072
Instruction Address: 0x0000000001953095
 
###########################################################################################################
Proof of concept included.
 
http://www48.zippyshare.com/v/64875465/file.html