cbcvebase.
CVE-2005-0455
published 2005-05-02

CVE-2005-0455: Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10…

PriorityP348medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
53.99%
98.9th percentile
Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1 allows remote attackers to execute arbitrary code via a .SMIL file with a large system-screen-size value.

Detection & IOCsextracted from sources · hover to see the quote

filename.smil
othersystem-screen-size (large value in .SMIL file)
otherRET 0x75022ac4 (Windows 2000 SP0-SP4 English)
otherRET 0x71aa2461 (Windows XP PRO SP0-SP1 English)
bytes
\xeb\x08\xeb\x08 at offset 1068; SEH handler \x4a\xe1\xc9\x61 (WinXP pop/pop/ret) at offset 1072
  • The vulnerable function is CSmil1Parser::testAttributeFailed in smlparse.cpp; monitor for RealPlayer processing .SMIL files with oversized system-screen-size attribute values.
  • Exploit delivery is browser-based: a web server responds with Content-Type text/html containing a link/redirect to a .smil URI; detect HTTP responses serving .smil content to RealPlayer user-agents.
  • Payload bad-character set for this exploit excludes null bytes and common HTML/URL metacharacters; network signatures should look for long non-printable blobs inside system-screen-size SMIL attribute values.
  • Local exploit writes a crafted .smil file with ~1700-byte overflow buffer containing NOP sled (0x90) and SEH overwrites; endpoint detection should flag RealPlayer spawning unexpected child processes or binding ports after opening a .smil file.
  • The Metasploit module targets Windows 2000 and XP with specific return addresses; correlate crash/exception in RealPlayer process with EIP values 0x75022ac4 or 0x71aa2461.
  • ·The Metasploit module requires the URIPATH to end with '.smil' for the exploit to function correctly.
  • ·The Metasploit module was tested only against RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584; return addresses differ per OS/SP and are not universal.
  • ·The local SEH-overwrite exploit claims OS-universal coverage via multiple SEH handler addresses for XP, Win2k3, and Win2k, but author notes 'if you have a diff 2k3 then deal with it and write your own in'.

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.