<< /Type /XObject /Subtype /Image /Width 2550 /Height 3305 /BitsPerComponent 1
/ColorSpace /DeviceGray /Filter /JBIG2Decode/DecodeParms << /jbig2Globals 13 0 R >> /Length 10 0 R /Name /X >>
And the 5th byte into the stream (which is the segment header flag byte) were to have the 6th bit set indicating a large page association size:
00 00 00 01 40 00 00 33 33 33
Then the bytes shown as 00 33 33 33 above would be loaded by the following assembly in AcroRd32.dll (
ecx+0x1cpoints to our four bytes):
5d42d889 8b411c mov eax,dword ptr [ecx+1Ch]
5d42d88c 85c0 test eax,eax
5d42d88e 0f84ac020000 je AcroRd32_5cd80000!PDFLTerm+0x235ad0 (5d42db40)
5d42d894 8b4e10 mov ecx,dword ptr [esi+10h]
5d42d897 8d0480 lea eax,[eax+eax*4]
5d42d89a 834481ec01 add dword ptr [ecx+eax*4-14h],1 ds:0023:07d96648=????????
Oh, by the way, I forgot to mention. If you happen to open an explorer window, or a browser window, or anything at all that even has the ICON of the pdf file, you're owned.
Open Source Snort rules and SEU 203 will be up in a few with coverage. The clam sigs are called Exploit.PDF-26, Exploit.PDF-27, and Exploit.PDF-28