SSS: Security-Sucks

After analyzing the PDF sample (which is still exploited in the wild),we extract the embedded flash file called "pad.swf"，This file seems modified from the website http://lostinactionscript.googlecode.com/svn/trunk/bin/AES-PHP.swf.

If we compare these two files deeply(shown as below),

Orginal AES-PHP.swf (0×66)

Exploit pad.swf(0×40)

It is surprised that there is just 1 byte changed. It causes flash ActionScript to execute a newfunction() and disturb the internal ActionScript engine stack .

Here is a problem in the JIT-ed AS code:

0736E2B1 8B 52 28 mov edx,dword ptr [edx+28h]
0736E2B4 83 E2 F8 and edx,0FFFFFFF8h
0736E2B7 89 55 B8 mov dword ptr [ebp-48h],edx
0736E2BA 8B 52 40 mov edx,dword ptr [edx+40h]
0736E2BD 89 55 B4 mov dword ptr [ebp-4Ch],edx
0736E2C0 8B 50 10 mov edx,dword ptr [eax+10h] <—if you spray the range of memory to "0x2xxxxxxx", then eax will point to there. However,in some cases, eax may change due to different versions.
0736E2C3 89 4D B0 mov dword ptr [ebp-50h],ecx
0736E2C6 8B 8A B8 02 00 00 mov ecx,dword ptr [edx+2B8h] <-invalid point may cause access violation
0736E2CC 89 45 A4 mov dword ptr [ebp-5Ch],eax
0736E2CF 8B 55 B0 mov edx,dword ptr [ebp-50h]
0736E2D2 89 55 A8 mov dword ptr [ebp-58h],edx
0736E2D5 89 4D A0 mov dword ptr [ebp-60h],ecx
0736E2D8 8B 4D B4 mov ecx,dword ptr [ebp-4Ch]
0736E2DB 89 4D AC mov dword ptr [ebp-54h],ecx
0736E2DE 8D 4D A4 lea ecx,[ebp-5Ch]
0736E2E1 89 75 9C mov dword ptr [ebp-64h],esi
0736E2E4 8B F0 mov esi,eax
0736E2E6 89 75 98 mov dword ptr [ebp-68h],esi
0736E2E9 89 75 F8 mov dword ptr [ebp-8],esi
0736E2EC 89 4D B4 mov dword ptr [ebp-4Ch],ecx
0736E2EF 8B 4D A0 mov ecx,dword ptr [ebp-60h]
0736E2F2 FF 75 B4 push dword ptr [ebp-4Ch]
0736E2F5 6A 02 push 2
0736E2F7 51 push ecx
0736E2F8 FF 51 0C call dword ptr [ecx+0Ch]

There is a high possibility that adobe will release a patch for JIT engine soon..