cbcvebase.
CVE-2004-1119
published 2005-01-10

CVE-2004-1119: Stack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibly other versions including 5.06, allows remote attackers to execute arbitrary code via a…

PriorityP346critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.26%
96.7th percentile
Stack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibly other versions including 5.06, allows remote attackers to execute arbitrary code via a certain .m3u playlist file.

Affected

6 ranges
VendorProductVersion rangeFixed in
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp

Detection & IOCsextracted from sources · hover to see the quote

filenameIN_CDDA.dll
pathH:\Archivos de programa\Winamp\Plugins\in_cdda.dll
bytes
\xB8\x75\xC1\xe4\x88\x2D\x11\x11\x11\x11\x50\x59\x33\xc0\x50\x68\x42\x6f\x6f\x6d\x54\x5a\x50\x50\x52\x50\x53\x51\xc3
  • Exploit .m3u files must NOT contain #EXTINF metadata lines; presence of #EXTINF prevents the vulnerable code path from being reached. Absence of #EXTINF in a .cda-referencing .m3u is a suspicious indicator.
  • The exploit payload uses the string 'C:\1234567890ab' as stack padding followed by a 4-byte return address overwrite. Scan .m3u files for entries beginning with this padding pattern.
  • The shellcode return address targets offset 0x1002355b within in_cdda.dll's .data section. Detection of EIP/return address values near 0x10023000–0x10024000 during Winamp crashes may indicate exploitation.
  • The exploit file header begins with the literal string '#EXTM3U' followed by a malicious .cda entry. Combine this with NOP sled detection (long runs of 0x90 bytes) inside .m3u files for a high-confidence signature.
  • ·The hardcoded return address (0x1002355b) and shellcode MessageBoxA address (0x77D3b064) are specific to a single OS build (xpsp2.030429-213). Real-world exploits targeting other Windows versions would use different addresses.
  • ·The PoC was tested on Winamp 5.02 despite the advisory title referencing 5.06; the vulnerability also affects 5.05 per NVD. Detection rules should cover all Winamp 5.x versions up to and including 5.06.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.