Title : Adobe Flash Player 11,5,502,135 memory corruption
Version : 11,5,502,135
Date : 2012-12-17
Vendor : http://www.adobe.com/
Impact : High
Contact : coolkaveh [at] rocketmail.com
Twitter : @coolkaveh
tested : Internet Explorer 8 Windows 7
Author : coolkaveh
###############################################
Bug :
The vulnerability cause a Memory corruption via a specially
crafted Flv files.
Successful exploits can allow attackers to execute arbitrary code
###############################################
900.c80): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=02fefd38 ecx=00000000 edx=ffffffff esi=03230000 edi=02fefd3c
eip=01953095 esp=02fefc2c ebp=02fefd48 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf:
01953095 0fbf1456 movsx edx,word ptr [esi+edx*2] ds:0023:0322fffe=????
Exception Faulting Address: 0x322fffe
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Faulting Instruction:01953095 movsx edx,word ptr [esi+edx*2]
Basic Block:
01953095 movsx edx,word ptr [esi+edx*2]
Tainted Input Operands: edx, esi
01953099 inc eax
0195309a cmp dword ptr [ebp-0ch],1
0195309e mov dword ptr [ebp+ecx*4-110h],edx
Tainted Input Operands: edx
019530a5 mov dword ptr [ebp+8],eax
019530a8 jne flash32_11_5_502_135!dllunregisterserver+0x22d887 (0195305d)
Exception Hash (Major/Minor): 0x1e0f6a3f.0x1e0f6a1c
Stack Trace:
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf
Flash32_11_5_502_135!DllUnregisterServer+0x22c4e7
Flash32_11_5_502_135!DllUnregisterServer+0x22c8e7
Flash32_11_5_502_135!DllUnregisterServer+0x22ceca
Flash32_11_5_502_135+0x19f324
Flash32_11_5_502_135+0x19f36a
Flash32_11_5_502_135+0x19fd15
Flash32_11_5_502_135!DllUnregisterServer+0x48ff3
Flash32_11_5_502_135!DllUnregisterServer+0x49072
Instruction Address: 0x0000000001953095
###############################################
Proof of concept included.
http://www48.zippyshare.com/v/64875465/file.html