This blog discusses our analysis of the recent Adobe Flash zero-day vulnerability. Trend Micro received a sample Shockwave Flash (.SWF) file that exploited this 0-day vulnerability. Since the original blog post was posted, we have been analyzing this sample to determine how the exploit works.
Let’s call the sample .SWF file exploit.swf. Quick analysis reveals that it contains ActionScript 3.0 tags. (ActionScript is a scripting language developed by Adobe, which is used in .SWF files.) This exploit will use ActionScript commands to spray shellcode into memory and load another .SWF file using the LoadBytes function of ActionScript 3.0.