CVE-2007-5217
published 2007-10-05CVE-2007-5217: Stack-based buffer overflow in the ADM4 ActiveX control in adm4.dll in Altnet Download Manager 4.0.0.6, as used in (1) Kazaa 3.2.7 and (2) Grokster, allows…
PriorityP337medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
29.99%
98.0th percentile
Stack-based buffer overflow in the ADM4 ActiveX control in adm4.dll in Altnet Download Manager 4.0.0.6, as used in (1) Kazaa 3.2.7 and (2) Grokster, allows remote attackers to execute arbitrary code via a long argument to the Install method. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| altnet | altnet_download_manager | — | — |
| grokster | grokster | — | — |
| kazaa | kazaa_media_desktop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ActiveX instantiation of the ADM4/AMD4 control (adm4.dll / amd4.dll) followed by calls to its Install() method with anomalously long string arguments, which is the exploit trigger. ↗
- →The Metasploit module uses a heap-spray technique via JavaScript unescape() loops combined with a 0x0c0c0c0c return address; detect heap-spray patterns in browser memory or JavaScript containing repeated unescape NOP sleds targeting this ActiveX control. ↗
- →The exploit sets EXITFUNC to 'process', meaning the shellcode will terminate the hosting process on exit; correlate unexpected iexplore.exe crashes after ActiveX Install() invocation. ↗
- ·The DLL filename is inconsistently reported across sources — NVD names it 'adm4.dll' while the Metasploit module references 'amd4.dll'; detection rules should cover both filenames. ↗
- ·The Metasploit module randomizes all JavaScript variable names on each request, so static string-based signatures on variable names will not be reliable; focus on structural patterns (unescape NOP sled + ActiveX Install call). ↗
- ·The public exploit targets only Windows XP SP0-SP2 with IE 6.0 SP1 English; the return address 0x0c0c0c0c is specific to this platform/locale combination and may not apply to other targets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Kazaa Altnet Download Manager - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-5217 Kazaa Altnet Download Manager - ActiveX Control Buffer Overflow (Metasploit)
Kazaa Altnet Download Manager - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: kazaa_altnet_heap.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Kazaa Altnet Download Manager ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX
Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.
By sending a overly long string to the "Install()" method, an attacker may be
able to execute arbitrary code.
},
'License' =
Metasploit
Kazaa Altnet Download Manager ActiveX Control Buffer Overflow
metasploit
Kazaa Altnet Download Manager ActiveX Control Buffer Overflow
Kazaa Altnet Download Manager ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7. By sending an overly long string to the "Install()" method, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/37785http://osvdb.org/38435http://secunia.com/advisories/26970http://secunia.com/advisories/26972http://www.securityfocus.com/bid/25903http://www.vupen.com/english/advisories/2007/3335http://www.vupen.com/english/advisories/2007/3336https://exchange.xforce.ibmcloud.com/vulnerabilities/36929http://osvdb.org/37785http://osvdb.org/38435http://secunia.com/advisories/26970http://secunia.com/advisories/26972http://www.securityfocus.com/bid/25903http://www.vupen.com/english/advisories/2007/3335http://www.vupen.com/english/advisories/2007/3336https://exchange.xforce.ibmcloud.com/vulnerabilities/36929
2007-10-05
Published