Adobe Reader X runs in a sandbox at a very restricted privilege level. That means a special broker process should handle important system calls which will subject them to extensive testing.
However, a small design flaw allows attackers to use system calls, circumvent ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) and execute arbitrary code.
The broker process is at the heart of the exploit as it uses a memory page allocated via VirtualAllocEx to store the overwritten code of system calls which have been redirected to the broker, said Guillaume Delugré, a researcher at Sogeti ESEC Lab. Despite having ASLR, however, the memory address returned by VirtualAllocEx does not undergo randomization. This means the Windows system function call will end up in a predictable, “nearly constant” location which the exploit can then access directly.
In a blog post, Delugré goes on to further detail, providing an account of the rest of the exploit’s path up to the execution of the code, which inject in via a specially crafted PDF file. The author also provides some proof-of-concept code and various scripts that helped him assemble the exploit.