cbcvebase.
CVE-2007-4748
published 2007-09-06

CVE-2007-4748: Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream 2.0.1.3829 allows remote attackers to execute arbitrary code via a long Logo parameter.

PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.21%
93.5th percentile
Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream 2.0.1.3829 allows remote attackers to execute arbitrary code via a long Logo parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
ppstreamppstream

Detection & IOCsextracted from sources · hover to see the quote

filenamePowerPlayer.dll
versionPPStream 2.0.1.3829 / PowerPlayer.dll 2.0.1.3829
bytes
E8 00 00 00 00 6A 03 EB 21 7E D8 E2 73 98 FE 8A 0E 8E 4E 0E EC 55 52 4C 4D 4F 4E 00 00 36 1A 2F 70 63 3A 5C 63 2E 65 78 65 00
  • The exploit triggers a buffer overflow via a long 'Logo' parameter passed to the PowerPlayer.dll ActiveX control. Monitor for unusually long string values supplied to this ActiveX control's Logo property.
  • Shellcode embeds the string 'pc:\c.exe' (encoded as bytes 0x70 0x63 0x3A 0x5C 0x63 0x2E 0x65 0x78 0x65), indicating the payload drops or executes a file at that path. Monitor for creation or execution of c.exe.
  • Shellcode contains the encoded string 'URLMON' (0x55 0x52 0x4C 0x4D 0x4F 0x4E), suggesting it uses URLDownloadToFile or similar URLMON API to fetch a remote payload.
  • ·The shellcode hardcodes a target address region (0x004010DB / 0x0040104E area) for the heap spray return address, meaning the exploit is tuned to a specific memory layout of PPStream 2.0.1.3829 and may not work against other versions.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.