cbcvebase.
CVE-2007-3901
published 2007-12-12

CVE-2007-3901: Stack-based buffer overflow in the DirectShow Synchronized Accessible Media Interchange (SAMI) parser in quartz.dll for Microsoft DirectX 7.0 through 10.0…

PriorityP355high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
45.87%
98.7th percentile
Stack-based buffer overflow in the DirectShow Synchronized Accessible Media Interchange (SAMI) parser in quartz.dll for Microsoft DirectX 7.0 through 10.0 allows remote attackers to execute arbitrary code via a crafted SAMI file.

Affected

15 ranges
VendorProductVersion rangeFixed in
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx
microsoftdirectx

Detection & IOCsextracted from sources · hover to see the quote

filenamequartz.dll
otherContent-Type: application/smil
  • Malicious SAMI/SMI files served over HTTP with Content-Type application/smil trigger the overflow; monitor for .smi file requests to untrusted hosts from media player processes.
  • The exploit delivers a crafted SAMI body with an oversized buffer (offset 22412 bytes) to overflow the stack in quartz.dll; anomalously large SAMI/SMI files or SAMI files with very long tag content should be flagged.
  • Reverse shell connection back to attacker on port 4444 from wmplayer.exe or related DirectShow host process is a post-exploitation indicator.
  • The exploit module uses EXITFUNC=process and a StackAdjustment of -3500; look for unusual stack pivot activity within quartz.dll loaded by media player processes.
  • ·The Metasploit module's return address (0x75022ac4) and offset (22412) are specific to Windows 2000 Pro SP4 English with DirectX 8.0; exploitation against other OS/DirectX version combinations requires different offsets and return addresses.
  • ·The Python PoC exploit was tested only on Windows 2000 SP4 English with DirectX 7.0 (4.07.00.0700); reliability on other platforms is unconfirmed.
  • ·The Metasploit module was only tested with Windows Media Player version 6.4.09.1129 and DirectX 8.0; other DirectX versions (7.0–10.0) are vulnerable per the CVE but may require retargeting.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.