As described by Guillaume Delugré, the broker process is at the heart of the exploit as it uses a memory page allocated via
VirtualAllocEx to store the overwritten code of system calls which have been redirected to the broker. Despite having ASLR, however, the memory address returned by
VirtualAllocEx is not randomised. This means that the Windows system function call will end up in a predictable, “nearly constant” location which the exploit can then access directly.
In a blog post, Delugré goes on to further detail, providing an interesting and informative account of the rest of the exploit’s path up to the execution of the code, which is injected via a specially crafted PDF file. The author also provides some proof-of-concept code and various scripts that helped him assemble the exploit.
- Bypassing ASLR and DEP on Adobe Reader X, blog post by Guillaume Delugré from Sogeti ESEC Lab.