A journey to CVE-2013-5330 exploit

​Recently, we’ve seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability (CVE-2013-5330). This vulnerability was addressed with a patch released by Adobe on November 12, 2013. On the Windows platform, Flash Player version 11.9.900.117 and earlier, are vulnerable.

We had a chance to analyze how the attacks work and noted some interesting details from our investigation.

The malicious file has been distributed as a .swf file using obfuscator secureSWF, which has been designed as a “one-stop” attack. It contains the vulnerability’s trigger, the heap spray and shellcode, and an encrypted PE file (see figure 1).

malicious .swf file

Figure 1: The malicious .swf file

This .swf exploit can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered. The .swf successfully bypasses the validation of memory range and is able to access arbitrary locations. It builds a deliberated crafted VTABLE (figure 2) and uses it to pass control to a controlled location, which contains the “Shim” code (a small piece of code before the shellcode is executed), as shown in figure 3.

Crafted VTABLE

Figure 2: Crafted VTABLE for control transfer

Shim code

Figure 3: The “Shim” code

The “Shim” code calls VirtualProtect() to make the shellcode memory area writable and executable. After the VirtualProtect() call, the control is passed to the shellcode. The shellcode is short and pithy – only 140 bytes (see figure 4).

Interestingly, the shellcode doesn’t contain the code to resolve the API addresses. Instead, the API addresses are resolved by the ActionScript (see figure 5 – the placeholders for the API addresses are marked as red).

The shellcode simply drops a PE file (already decrypted by .swf) to the %temp% directory and loads it with LoadLibrary() call. The dropped PE file (SHA1: 05446C67FF8C0BAFFA969FC5CC4DD62EDCAD46F5) is detected as TrojanSpy:Win32/Lurk. The telemetry for this file is showm in figure 6.


Figure 4: Short and sweet “shellcode”


Figure 5: The ActionScript used to generate the shellcode

TrojanSpy:Win32/Lurk infections

Figure 6: TrojanSpy:Win32/Lurk infected machines

We have received reports that an iframe loading this malicious .swf file has been injected to some clean or benign websites. Visiting these websites with an outdated version of Flash Player, can lead to a compromise of the machine.

If you’re using Flash Player version 11.9.900.117 or earlier, you need to update your Flash Player now to be protected against these attacks.

Chun Feng

Comments (2)

  1. Bartosz Wójcik says:

    Pretty clean shellcode 🙂

  2. Matthew M says:

    Is it possible that this is how I recieved an initial massive take over of the OS? Something exploited Java and Flash to put itself in 0x00000010 as a "CORE_DXE" package and uses its place to start from BIOS and continually download files and replace the
    entire windows O/S, any vesion from WinPE (vista+). IT puts its various isos in the DVD Ramdisk (including linux and android isos). It kind of just installs itself WITH windows and becomes its version of it to run the client in the virtual shell, replaced
    as the client on a provider (DISM, Panther, provhost possibly?)…. Something took over without any delays at all, if this is part of it, I wish there was more info. Thanks for forensics =)