cbcvebase.
CVE-2010-3653
published 2010-10-26

CVE-2010-3653: The Director module (dirapi.dll) in Adobe Shockwave Player before 11.5.9.615 allows remote attackers to execute arbitrary code or cause a denial of service…

PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.63%
99.4th percentile
The Director module (dirapi.dll) in Adobe Shockwave Player before 11.5.9.615 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Director movie with a crafted rcsL chunk containing a field whose value is used as a pointer offset, as exploited in the wild in October 2010. NOTE: some of these details are obtained from third party information.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
adobeshockwave_player<= 11.5.8.612
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player
adobeshockwave_player

Detection & IOCsextracted from sources · hover to see the quote

otherrcsL chunk in Director movie (.DIR/.DCR) file with crafted 4-byte field at offset 0x4C4B set to 0xFFF00267
otherRet => 0x0a0a0a0a
filenamedirapi.dll
bytes
0a0a0a0a (heap spray NOP-sled using OR opcode)
bytes
nops=unescape('%u0a0a%u0a0a') heap spray pattern
  • Detect Director movie files (.DIR/.DCR) delivered over HTTP with a crafted rcsL chunk; the RIFF-based format begins with a 4-byte RIFX identifier followed by chunk identifiers including rcsL.
  • Flag heap spray patterns using 0x0a0a0a0a as the spray address/NOP-sled value in browser memory when a .DIR file is being loaded via a plugin.
  • Monitor for JavaScript heap spray using repeated '%u0a0a%u0a0a' unescape patterns in pages that also embed a .DIR file (Content-Type: application/octet-stream).
  • Alert on HTTP responses serving files with Content-Type application/octet-stream containing a RIFX/rcsL Director movie structure, especially when the referring page contains unescape-based heap spray JavaScript.
  • The vulnerable code path is inside dirapi.dll at function sub_68122990; monitor for abnormal indirect calls via [ecx+eax*8+20h] with attacker-controlled EAX derived from the rcsL chunk field.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript post-exploitation; detect unexpected process migration activity following Shockwave Player execution.
  • ·The vulnerability affects Adobe Shockwave Player versions before 11.5.9.615; the advisory was written against version 11.5.8.612.
  • ·The rcsL chunk structure is undocumented; detection must rely on the presence of the chunk identifier and anomalous field values rather than a published specification.
  • ·The Metasploit payload has bad characters \x00\x09\x0a\x0d which must be avoided; shellcode encoders will be used, potentially altering byte-level signatures.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.