cbcvebase.
CVE-2007-1559
published 2007-04-11

CVE-2007-1559: Multiple stack-based buffer overflows in SonicDVDDashVRNav.dll in Roxio CinePlayer 3.2 allow remote attackers to execute arbitrary code via (1) unspecified…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.81%
98.1th percentile
Multiple stack-based buffer overflows in SonicDVDDashVRNav.dll in Roxio CinePlayer 3.2 allow remote attackers to execute arbitrary code via (1) unspecified long property values to SonicMediaPlayer.dll or (2) long arguments to unspecified methods in SonicMediaPlayer.dll.

Affected

1 ranges
VendorProductVersion rangeFixed in
roxiocineplayer

Detection & IOCsextracted from sources · hover to see the quote

filenameSonicMediaPlayer.dll
commandDiskType
other0x0C0C0C0C
bytes
%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063
bytes
%u0c0c%u0c0c
  • Detect heap spray pattern: repeated 0x0C0C0C0C DWORD used as NOP sled and return address in browser memory, indicative of heap-spray exploitation of SonicMediaPlayer.dll ActiveX control.
  • Monitor for instantiation of the SonicMediaPlayer ActiveX control (SonicMediaPlayer.dll) inside Internet Explorer, especially when the DiskType method is called with an argument exceeding 200 characters.
  • Exploit is delivered via a malicious HTML document; look for HTML pages embedding the SonicMediaPlayer ActiveX CLSID with a long DiskType parameter value.
  • Payload bad characters for this exploit are null byte, tab, newline, carriage return, single quote, and backslash — filter or alert on unescape() calls in HTML/JS containing shellcode blobs avoiding these bytes.
  • ·The Metasploit module targets SonicMediaPlayer.dll version 3.0.0.1 specifically; the heap-spray return address 0x0C0C0C0C is hardcoded for Windows XP SP0-SP3 and Vista SP0-SP1 with IE 6.0 SP0-2 and IE 7.0 only.
  • ·CVE-2007-1559 may overlap with CVE-2009-4841 (heap-based overflow in the same DLL via the same DiskType method); detections should cover both stack and heap overflow variants.
  • ·The exploit payload space is limited to 1024 bytes and requires a stack adjustment of -3500 bytes; payloads larger than 1024 bytes will not function with this module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.