cbcvebase.
CVE-2006-6063
published 2006-11-22

CVE-2006-6063: Stack-based buffer overflow in Un4seen XMPlay 3.3.0.5 and earlier allows remote attackers to execute arbitrary code via a M3U file containing a long (1)…

PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
58.08%
99.0th percentile
Stack-based buffer overflow in Un4seen XMPlay 3.3.0.5 and earlier allows remote attackers to execute arbitrary code via a M3U file containing a long (1) FileName, and cause a crash via a long (2) DisplayName.

Affected

1 ranges
VendorProductVersion rangeFixed in
un4seenxmplay<= 3.3.0.5

Detection & IOCsextracted from sources · hover to see the quote

versionXMPlay 3.3.0.5 and earlier
filenamemalicious.asx
filenamemalicious.m3u
otherTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtpLEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNipsPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA
bytes
\xbc\x41\xdb\x77
bytes
\xfc\x18\xd7\x77
bytes
\xdc\x4a\xd7\x77
bytes
\x56\xc2\xe3\x77
bytes
\xbc\x41\xdb\x77
bytes
\xfc\x18\xd7\x77
bytes
\xdc\x4a\xd7\x77
bytes
\x56\xc2\xe3\x77
  • Detect oversized FileName field (>498 bytes) in M3U or ASX playlist files parsed by XMPlay; the exploit uses 498 bytes of padding before the return address overwrite.
  • Flag M3U files with an #EXTINF FileName field exceeding ~500 bytes, as this triggers the stack buffer overflow in XMPlay 3.3.0.5 and earlier.
  • Detect ASX playlist files with an overly long filename attribute (href/ref value), as the ASX format is also exploitable via the same boundary error.
  • Payload bad characters for this exploit are: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 — encoded payload will be alphanumeric uppercase; detect long alphanumeric-only strings in playlist filename fields.
  • Using the DisplayName field of M3U for overflow may trigger Windows DEP; FileName field exploitation is the primary attack vector to monitor.
  • ·Return addresses are platform-specific; the Metasploit module targets Windows 2000 Pro SP4 and Windows XP Pro SP2 English only.
  • ·Payload space is limited to 750 bytes and requires AlphanumUpper encoding, meaning raw shellcode detections will not match without accounting for the encoding.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.