cbcvebase.
CVE-2004-0964
published 2005-02-09

CVE-2004-0964: Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain…

PriorityP349critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.68%
99.1th percentile
Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain values in a .pls file.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
zinfzinf

Detection & IOCsextracted from sources · hover to see the quote

registry.pls file extension registered to Zinf
other0x1204f514 (pop esi; pop ebx; ret - zinf.ui)
other0x10002CC8 (push esp; ret - vorbisfile.dll)
other0x0C040512 (SEH handler - zinf.ui)
urlhttp://sourceforge.net/projects/zinf/files/zinf/2.2.1/zinf-setup-2.2.1.exe/download
bytes
\x41 x 1424 + \xEB\x06\x90\x90 + \x0C\x04\x05\x12
bytes
\x41 x 1300 + \xC8\x2C\x00\x10 + \x90 x 128
  • Detect malicious .pls files with oversized content: legitimate PLS playlists are small; a .pls file containing 1300+ bytes of repeated 'A' (0x41) characters followed by a return address is a strong indicator of exploitation.
  • Look for .pls files containing SEH overwrite pattern: 1424 bytes of padding followed by a short JMP (\xEB\x06\x90\x90) and a return address pointing into zinf.ui (e.g. 0x1204f514 or 0x0C040512).
  • Monitor process creation of Zinf Audio Player (zinf.exe) spawning unexpected child processes (e.g. calc.exe or cmd.exe), which is the payload target in all known public exploits.
  • Flag .pls files opened by Zinf that trigger stack pivot gadgets in vorbisfile.dll (0x10002CC8: push esp; ret) or zinf.ui plugin DLL — these are the universal return addresses used across exploits.
  • Detect ROP chain loading of msvcr71.dll via LoadLibraryA followed by VirtualProtect calls — a DEP bypass technique used in the 2011 exploit variant targeting Windows XP SP3 with DEP AlwaysOn.
  • Alert on .pls files delivered via browser when the .pls extension is registered to Zinf, as this enables remote code execution without user interaction beyond visiting a page.
  • The Metasploit module uses AlphanumMixed encoding with bad chars \x00\x0a\x0d\x3c\x22\x3e\x3d and a stack adjustment of -3500; detect alphanumeric shellcode blobs embedded in .pls files.
  • ·The return address 0x1204f514 (pop esi; pop ebx; ret in zinf.ui) is version-specific to Zinf 2.2.1 on Windows XP SP3; it will not be reliable on other OS versions or patch levels.
  • ·The DEP bypass ROP chain (exploit-db 17600) was tested only on Windows XP SP3 Brazilian Portuguese with DEP in AlwaysOn mode; gadget addresses from zinf.ui, vorbisfile.dll, and msvcr71.dll will differ on other builds.
  • ·The universal vorbisfile.dll gadget (0x10002CC8) was tested on Windows XP SP2 French; ASLR-enabled systems will randomize this address, making the exploit unreliable.
  • ·CVE-2004-0964 affects Zinf 2.2.1 on Windows and older Linux versions; the Linux attack surface is noted but no Linux-specific exploit offsets are provided in public PoCs.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.