cbcvebase.
CVE-2007-5217
published 2007-10-05

CVE-2007-5217: Stack-based buffer overflow in the ADM4 ActiveX control in adm4.dll in Altnet Download Manager 4.0.0.6, as used in (1) Kazaa 3.2.7 and (2) Grokster, allows…

PriorityP337medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
29.99%
98.0th percentile
Stack-based buffer overflow in the ADM4 ActiveX control in adm4.dll in Altnet Download Manager 4.0.0.6, as used in (1) Kazaa 3.2.7 and (2) Grokster, allows remote attackers to execute arbitrary code via a long argument to the Install method. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Affected

3 ranges
VendorProductVersion rangeFixed in
altnetaltnet_download_manager
grokstergrokster
kazaakazaa_media_desktop

Detection & IOCsextracted from sources · hover to see the quote

filenameadm4.dll
filenameamd4.dll
commandInstall()
  • Monitor for ActiveX instantiation of the ADM4/AMD4 control (adm4.dll / amd4.dll) followed by calls to its Install() method with anomalously long string arguments, which is the exploit trigger.
  • The Metasploit module uses a heap-spray technique via JavaScript unescape() loops combined with a 0x0c0c0c0c return address; detect heap-spray patterns in browser memory or JavaScript containing repeated unescape NOP sleds targeting this ActiveX control.
  • The exploit sets EXITFUNC to 'process', meaning the shellcode will terminate the hosting process on exit; correlate unexpected iexplore.exe crashes after ActiveX Install() invocation.
  • ·The DLL filename is inconsistently reported across sources — NVD names it 'adm4.dll' while the Metasploit module references 'amd4.dll'; detection rules should cover both filenames.
  • ·The Metasploit module randomizes all JavaScript variable names on each request, so static string-based signatures on variable names will not be reliable; focus on structural patterns (unescape NOP sled + ActiveX Install call).
  • ·The public exploit targets only Windows XP SP0-SP2 with IE 6.0 SP1 English; the return address 0x0c0c0c0c is specific to this platform/locale combination and may not apply to other targets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.