CVE-2008-0065
published 2008-01-22CVE-2008-0065: Multiple stack-based buffer overflows in in_mp3.dll in Winamp 5.21, 5.5, and 5.51 allow remote attackers to execute arbitrary code via a long (1) artist or (2)…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.27%
99.0th percentile
Multiple stack-based buffer overflows in in_mp3.dll in Winamp 5.21, 5.5, and 5.51 allow remote attackers to execute arbitrary code via a long (1) artist or (2) name tag in Ultravox streaming metadata, related to construction of stream titles.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| winamp | nullsoft_winamp | — | — |
| winamp | nullsoft_winamp | — | — |
| winamp | nullsoft_winamp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01\x00\x01\x00\x01
bytes↗
\x5a\x00\x39\x01
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
- →Detect overly long Ultravox streaming metadata artist or name tags delivered over HTTP; the exploit sends a malformed Ultravox frame beginning with bytes 5A 00 39 01 followed by a length field and oversized content. ↗
- →Monitor for stack-pivot/stack-adjustment shellcode preamble 0x81 0xC4 0xFF 0xEF 0xFF 0xFF 0x44 prepended to payloads in HTTP streams targeting Winamp clients. ↗
- →The exploit is served from an attacker-controlled HTTP server (default port 8080); alert on Winamp processes (winamp.exe) initiating HTTP connections to non-standard ports and loading in_mp3.dll while receiving unusually large metadata fields. ↗
- →Bad characters filtered by the exploit encoder are: 0x00 0x09 0x0a 0x0d 0x20 0x22 0x25 0x26 0x27 0x2b 0x2f 0x3a 0x3c 0x3e 0x3f 0x40 — encoded payloads in Ultravox streams will avoid these bytes. ↗
- →Return address 0x15010d3e is used to hijack execution in Winamp 5.24 via the in_mp3.dll overflow; presence of this value on the stack or in memory dumps is a strong indicator of exploitation. ↗
- ·The Metasploit module targets Winamp 5.24 specifically with a hardcoded return address; the CVE also covers versions 5.21, 5.5, and 5.51, so the same return address may not apply to those versions. ↗
- ·The exploit payload space is limited to 700 bytes; larger or complex shellcode will not fit without additional staging. ↗
- ·The exploit sets EXITFUNC to 'process', meaning successful exploitation terminates the Winamp process after payload execution — forensic artifacts may be limited post-compromise. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Winamp Ultravox Streaming Metadata 'in_mp3.dll' - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-0065 Winamp Ultravox Streaming Metadata 'in_mp3.dll' - Remote Buffer Overflow (Metasploit)
Winamp Ultravox Streaming Metadata 'in_mp3.dll' - Remote Buffer Overflow (Metasploit)
---
##
# $Id: winamp_ultravox.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Winamp 5.24. By
sending an overly long artist tag, a remote attacker may
be able to execute arbitrary code. This vulnerability can be
exploited from the browser or the winamp client itself.
},
'Author' => 'MC',
'License' => MSF_LI
Metasploit
Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow
metasploit
Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow
Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow
This module exploits a stack buffer overflow in Winamp 5.24. By sending an overly long artist tag, a remote attacker may be able to execute arbitrary code. This vulnerability can be exploited from the browser or the Winamp client itself.
No writeups or analysis indexed.
http://secunia.com/advisories/27865http://secunia.com/secunia_research/2008-2/advisory/http://www.securityfocus.com/bid/27344http://www.vupen.com/english/advisories/2008/0183http://www.winamp.com/player/version-historyhttps://exchange.xforce.ibmcloud.com/vulnerabilities/39778http://secunia.com/advisories/27865http://secunia.com/secunia_research/2008-2/advisory/http://www.securityfocus.com/bid/27344http://www.vupen.com/english/advisories/2008/0183http://www.winamp.com/player/version-historyhttps://exchange.xforce.ibmcloud.com/vulnerabilities/39778
2008-01-22
Published