Title : Adobe Flash Player 11,5,502,135 memory corruption Version : 11,5,502,135 Date : 2012-12-17 Vendor : http://www.adobe.com/ Impact : High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : Internet Explorer 8 Windows 7 Author : coolkaveh ############################################### Bug : The vulnerability cause a Memory corruption via a specially crafted Flv files. Successful exploits can allow attackers to execute arbitrary code ############################################### 900.c80): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=02fefd38 ecx=00000000 edx=ffffffff esi=03230000 edi=02fefd3c eip=01953095 esp=02fefc2c ebp=02fefd48 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf: 01953095 0fbf1456 movsx edx,word ptr [esi+edx*2] ds:0023:0322fffe=???? Exception Faulting Address: 0x322fffe Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Faulting Instruction:01953095 movsx edx,word ptr [esi+edx*2] Basic Block: 01953095 movsx edx,word ptr [esi+edx*2] Tainted Input Operands: edx, esi 01953099 inc eax 0195309a cmp dword ptr [ebp-0ch],1 0195309e mov dword ptr [ebp+ecx*4-110h],edx Tainted Input Operands: edx 019530a5 mov dword ptr [ebp+8],eax 019530a8 jne flash32_11_5_502_135!dllunregisterserver+0x22d887 (0195305d) Exception Hash (Major/Minor): 0x1e0f6a3f.0x1e0f6a1c Stack Trace: Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf Flash32_11_5_502_135!DllUnregisterServer+0x22c4e7 Flash32_11_5_502_135!DllUnregisterServer+0x22c8e7 Flash32_11_5_502_135!DllUnregisterServer+0x22ceca Flash32_11_5_502_135+0x19f324 Flash32_11_5_502_135+0x19f36a Flash32_11_5_502_135+0x19fd15 Flash32_11_5_502_135!DllUnregisterServer+0x48ff3 Flash32_11_5_502_135!DllUnregisterServer+0x49072 Instruction Address: 0x0000000001953095 ############################################### Proof of concept included. http://www48.zippyshare.com/v/64875465/file.html