cbcvebase.
CVE-2008-0065
published 2008-01-22

CVE-2008-0065: Multiple stack-based buffer overflows in in_mp3.dll in Winamp 5.21, 5.5, and 5.51 allow remote attackers to execute arbitrary code via a long (1) artist or (2)…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.27%
99.0th percentile
Multiple stack-based buffer overflows in in_mp3.dll in Winamp 5.21, 5.5, and 5.51 allow remote attackers to execute arbitrary code via a long (1) artist or (2) name tag in Ultravox streaming metadata, related to construction of stream titles.

Affected

3 ranges
VendorProductVersion rangeFixed in
winampnullsoft_winamp
winampnullsoft_winamp
winampnullsoft_winamp

Detection & IOCsextracted from sources · hover to see the quote

filenamein_mp3.dll
other0x15010d3e
bytes
\x00\x01\x00\x01\x00\x01
bytes
\x5a\x00\x39\x01
bytes
\x81\xc4\xff\xef\xff\xff\x44
  • Detect overly long Ultravox streaming metadata artist or name tags delivered over HTTP; the exploit sends a malformed Ultravox frame beginning with bytes 5A 00 39 01 followed by a length field and oversized content.
  • Monitor for stack-pivot/stack-adjustment shellcode preamble 0x81 0xC4 0xFF 0xEF 0xFF 0xFF 0x44 prepended to payloads in HTTP streams targeting Winamp clients.
  • The exploit is served from an attacker-controlled HTTP server (default port 8080); alert on Winamp processes (winamp.exe) initiating HTTP connections to non-standard ports and loading in_mp3.dll while receiving unusually large metadata fields.
  • Bad characters filtered by the exploit encoder are: 0x00 0x09 0x0a 0x0d 0x20 0x22 0x25 0x26 0x27 0x2b 0x2f 0x3a 0x3c 0x3e 0x3f 0x40 — encoded payloads in Ultravox streams will avoid these bytes.
  • Return address 0x15010d3e is used to hijack execution in Winamp 5.24 via the in_mp3.dll overflow; presence of this value on the stack or in memory dumps is a strong indicator of exploitation.
  • ·The Metasploit module targets Winamp 5.24 specifically with a hardcoded return address; the CVE also covers versions 5.21, 5.5, and 5.51, so the same return address may not apply to those versions.
  • ·The exploit payload space is limited to 700 bytes; larger or complex shellcode will not fit without additional staging.
  • ·The exploit sets EXITFUNC to 'process', meaning successful exploitation terminates the Winamp process after payload execution — forensic artifacts may be limited post-compromise.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.