Adobe Flash Player 11.5.502.135 - Crash (PoC)

EDB-ID:

23469

CVE:


Author:

coolkaveh

Type:

dos

Platform:

Windows

Published:

2012-12-18

Title    :  Adobe Flash Player 11,5,502,135 memory corruption
Version  :  11,5,502,135
Date     :  2012-12-17
Vendor   :  http://www.adobe.com/
Impact   :  High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  Internet Explorer 8 Windows 7 
Author   :  coolkaveh
###########################################################################################################
Bug :
The vulnerability cause a Memory corruption via a specially
crafted Flv files.
Successful exploits can allow attackers to execute arbitrary code
###########################################################################################################
900.c80): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=02fefd38 ecx=00000000 edx=ffffffff esi=03230000 edi=02fefd3c
eip=01953095 esp=02fefc2c ebp=02fefd48 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf:
01953095 0fbf1456        movsx   edx,word ptr [esi+edx*2] ds:0023:0322fffe=????

Exception Faulting Address: 0x322fffe
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)

Faulting Instruction:01953095 movsx edx,word ptr [esi+edx*2]

Basic Block:

    01953095 movsx edx,word ptr [esi+edx*2]
       Tainted Input Operands: edx, esi
    01953099 inc eax
    0195309a cmp dword ptr [ebp-0ch],1
    0195309e mov dword ptr [ebp+ecx*4-110h],edx
       Tainted Input Operands: edx
    019530a5 mov dword ptr [ebp+8],eax
    019530a8 jne flash32_11_5_502_135!dllunregisterserver+0x22d887 (0195305d)

Exception Hash (Major/Minor): 0x1e0f6a3f.0x1e0f6a1c

Stack Trace:
Flash32_11_5_502_135!DllUnregisterServer+0x22d8bf
Flash32_11_5_502_135!DllUnregisterServer+0x22c4e7
Flash32_11_5_502_135!DllUnregisterServer+0x22c8e7
Flash32_11_5_502_135!DllUnregisterServer+0x22ceca
Flash32_11_5_502_135+0x19f324
Flash32_11_5_502_135+0x19f36a
Flash32_11_5_502_135+0x19fd15
Flash32_11_5_502_135!DllUnregisterServer+0x48ff3
Flash32_11_5_502_135!DllUnregisterServer+0x49072
Instruction Address: 0x0000000001953095

###########################################################################################################
Proof of concept included.

http://www48.zippyshare.com/v/64875465/file.html
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/23469.rar