cbcvebase.
CVE-2008-3008
published 2008-09-11

CVE-2008-3008: Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex.dll in Microsoft Windows Media Encoder 9 Series allows remote attackers to…

PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
54.55%
98.9th percentile
Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex.dll in Microsoft Windows Media Encoder 9 Series allows remote attackers to execute arbitrary code via a long first argument to the GetDetailsString method, aka "Windows Media Encoder Buffer Overrun Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows-nt
microsoftwindows_media_encoder

Detection & IOCsextracted from sources · hover to see the quote

filenamewmex.dll
other0x0C0C0C0C
commandGetDetailsString()
bytes
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949%u4949%u4949%u4949%u4949%u5a51
bytes
%u06EB%u9090
bytes
%u6950%u74C9
  • Monitor for ActiveX instantiation of the WMEncProfileManager control (wmex.dll) from a browser process, particularly when the GetDetailsString() method is called with an unusually long string argument.
  • The exploit uses a heap-spray technique targeting return address 0x0C0C0C0C; detect large JavaScript heap allocations combined with NOP sleds (%u9090) in browser memory when wmex.dll is loaded.
  • Detect HTML pages embedding the WMEncProfileManager ActiveX CLSID via an <object> tag combined with JavaScript calling GetDetailsString() with a long argument string.
  • The Metasploit module sets EXITFUNC to 'process' and uses a payload space of 1024 bytes with null byte as the only bad character; network signatures should look for unescape() shellcode patterns in HTTP responses serving HTML exploiting wmex.dll.
  • ·Exploit only reliably targets Windows XP SP2/SP3 with IE 6.0 SP0-SP2; the hardcoded heap-spray return address 0x0C0C0C0C is specific to this platform/browser combination and will not work on other targets.
  • ·The Metasploit module's autofilter returns false, meaning it will not automatically be selected by the browser autopwn framework; manual targeting is required.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.