cbcvebase.
CVE-2006-6199
published 2006-12-01

CVE-2006-6199: Stack-based buffer overflow in BlazeVideo BlazeDVD Standard and Professional 5.0, and possibly earlier, allows remote attackers to execute arbitrary code via a…

PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.06%
99.2th percentile
Stack-based buffer overflow in BlazeVideo BlazeDVD Standard and Professional 5.0, and possibly earlier, allows remote attackers to execute arbitrary code via a long filename in a PLF playlist.

Affected

3 ranges
VendorProductVersion rangeFixed in
blazevideoblaze_dvd
blazevideohdtv_player<= 2.1
blazevideohdtv_player

Detection & IOCsextracted from sources · hover to see the quote

filenameHACK4LOVE.PLF
filenamemsf.plf
filenamecst-blazedvd.plf
bytes
\xEB\x06\x90\x90 (short jump / NOP sled SEH overwrite pattern)
bytes
\xb8\x15\xd1\x72 (SEH handler overwrite address)
bytes
\x41 x 608 (junk buffer padding before SEH overwrite)
bytes
0x100101e7 (return address for BlazeDVD 5.1 Metasploit target)
bytes
5e 59 c3 (pop esi / pop ecx / ret gadget at 0x100012cd in skinscrollbar)
bytes
\xae\x74\x60\x61 (SEH overwrite: ADD ESP,408 # RETN 4 at 0x616074AE)
bytes
\x78\x53\xbe\x01 (return address used in BlazeDVD 5.0 PLF exploit)
  • Malicious .PLF playlist files trigger a stack-based buffer overflow in BlazeDVD when opened; detect creation or download of .PLF files containing large repetitive byte sequences (e.g., 600+ bytes of 0x41) followed by SEH overwrite patterns.
  • SEH-based exploitation: look for .PLF files where bytes at offset ~608 contain a short-jump stub (\xEB\x06\x90\x90) immediately followed by a 4-byte return address overwrite.
  • Metasploit module targets BlazeDVD 5.1 with a 6024-byte alphanumeric-upper encoded payload; SEH control occurs at offset 868/872 within the PLF file buffer.
  • The ASLR/DEP bypass exploit for Windows 7 uses ROP gadgets exclusively from non-ASLR modules loaded by BlazeDVD (base addresses 0x61xxxxxx, 0x64xxxxxx, 0x60xxxxxx); presence of these address ranges in a PLF file is a strong indicator of exploitation.
  • The skinscrollbar DLL loaded by BlazeDVD 5.1 contains a pop/pop/ret gadget at 0x100012cd; flag memory searches or ROP chains referencing this address range (0x10000000–0x10018000).
  • ·The Metasploit module uses AlphanumUpper encoder with null-byte bad character restriction; payloads containing \x00 will not function correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.