cbcvebase.
CVE-2007-3068
published 2007-06-06

CVE-2007-3068: Stack-based buffer overflow in DVD X Player 4.1 Professional allows remote attackers to execute arbitrary code via a PLF playlist containing a long filename.

PriorityP344medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
32.95%
98.1th percentile
Stack-based buffer overflow in DVD X Player 4.1 Professional allows remote attackers to execute arbitrary code via a PLF playlist containing a long filename.

Affected

2 ranges
VendorProductVersion rangeFixed in
dvd-x-playerdvd_x_player
dvd_x_studiosdvd_x_player

Detection & IOCsextracted from sources · hover to see the quote

filenameExploit.plf
filenameowned.plf
filenamemsf.plf
pathC:\Program Files\Aviosoft\DVD X Player 5.5 Standard\MediaPlayerCtrl.dll
registryMediaPlayerCtrl.dll
otherEPG.dll - POP EAX; RET @ 0x61626702
otherEPG.dll - POP EAX; RET @ 0x61626702 (ROP chain)
otherSkinScrollBar.dll - VirtualProtect IAT @ 0x10011108
otherEPG.dll - pop edi; pop esi; ret @ 0x61602adb
othershlwapi.dll - JMP ESP @ 0x77FAB127
bytes
SEH overwrite pattern: \xeb\x06\x90\x90 (next_seh jump) + \xdb\x2a\x60\x61 (pop/pop/ret EPG.dll)
bytes
Egghunter egg tag: \x54\x30\x30\x57\x54\x30\x30\x57 (W00TW00T doubled)
  • Monitor for MediaPlayerCtrl.dll (loaded by DVD X Player) performing a stack copy (rep movs) that triggers an access violation — indicative of the unbounded strcpy triggering the overflow.
  • Detect the egghunter tag bytes W00T (\x54\x30\x30\x57) appearing twice consecutively in a .plf file, used to locate shellcode in memory.
  • Alert on DVD X Player spawning unexpected child processes (e.g., cmd.exe, calc.exe) — the exploit payload executes arbitrary code under the user context.
  • Look for ROP gadget addresses from EPG.dll (base around 0x6160xxxx–0x6164xxxx) and SkinScrollBar.dll (0x10011108) on the stack, indicating a DEP/ASLR bypass attempt against DVD X Player 5.5.
  • ·The original CVE-2007-3068 targets DVD X Player 4.1 Professional; the Metasploit module and additional exploits extend coverage to DVD X Player 5.5 Pro and Standard — ROP gadget addresses and offsets differ between versions.
  • ·The SEH overwrite exploit (17788) bypasses ASLR by relying on EPG.dll being a non-ASLR-enabled module; gadget addresses are fixed only when EPG.dll lacks ASLR.
  • ·Bad characters for payload encoding are \x00\x0a\x0d\x1a — shellcode must avoid these bytes to survive the filename parsing in MediaPlayerCtrl.dll.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.