CVE-2008-3008
published 2008-09-11CVE-2008-3008: Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex.dll in Microsoft Windows Media Encoder 9 Series allows remote attackers to…
PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
54.55%
98.9th percentile
Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex.dll in Microsoft Windows Media Encoder 9 Series allows remote attackers to execute arbitrary code via a long first argument to the GetDetailsString method, aka "Windows Media Encoder Buffer Overrun Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows-nt | — | — |
| microsoft | windows_media_encoder | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949%u4949%u4949%u4949%u4949%u5a51
bytes↗
%u06EB%u9090
bytes↗
%u6950%u74C9
- →Monitor for ActiveX instantiation of the WMEncProfileManager control (wmex.dll) from a browser process, particularly when the GetDetailsString() method is called with an unusually long string argument. ↗
- →The exploit uses a heap-spray technique targeting return address 0x0C0C0C0C; detect large JavaScript heap allocations combined with NOP sleds (%u9090) in browser memory when wmex.dll is loaded. ↗
- →Detect HTML pages embedding the WMEncProfileManager ActiveX CLSID via an <object> tag combined with JavaScript calling GetDetailsString() with a long argument string. ↗
- →The Metasploit module sets EXITFUNC to 'process' and uses a payload space of 1024 bytes with null byte as the only bad character; network signatures should look for unescape() shellcode patterns in HTTP responses serving HTML exploiting wmex.dll. ↗
- ·Exploit only reliably targets Windows XP SP2/SP3 with IE 6.0 SP0-SP2; the hardcoded heap-spray return address 0x0C0C0C0C is specific to this platform/browser combination and will not work on other targets. ↗
- ·The Metasploit module's autofilter returns false, meaning it will not automatically be selected by the browser autopwn framework; manual targeting is required. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p47x-r9f4-v8c6: Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex
ghsa_unreviewed·2022-05-01
CVE-2008-3008 [HIGH] CWE-119 GHSA-p47x-r9f4-v8c6: Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex
Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex.dll in Microsoft Windows Media Encoder 9 Series allows remote attackers to execute arbitrary code via a long first argument to the GetDetailsString method, aka "Windows Media Encoder Buffer Overrun Vulnerability."
VulnCheck
Microsoft windows_media_encoder Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2008·CVSS 9.3
CVE-2008-3008 [CRITICAL] Microsoft windows_media_encoder Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft windows_media_encoder Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex.dll in Microsoft Windows Media Encoder 9 Series allows remote attackers to execute arbitrary code via a long first argument to the GetDetailsString method, aka "Windows Media Encoder Buffer Overrun Vulnerability."
Affected: Microsoft windows_media_encoder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
Exploit-DB
Microsoft Windows Media Encoder 9 - 'wmex.dll' ActiveX Buffer Overflow (MS08-053) (Metasploit)
exploitdb·2010-05-09
CVE-2008-3008 Microsoft Windows Media Encoder 9 - 'wmex.dll' ActiveX Buffer Overflow (MS08-053) (Metasploit)
Microsoft Windows Media Encoder 9 - 'wmex.dll' ActiveX Buffer Overflow (MS08-053) (Metasploit)
---
##
# $Id: ms08_053_mediaencoder.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Windows Media Encoder 9. When
sending an overly long string to the GetDetailsString() method of wmex.dll
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC
Exploit-DB
Microsoft Windows Media Encoder (XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
exploitdb·2008-09-13
CVE-2008-3008 Microsoft Windows Media Encoder (XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
Microsoft Windows Media Encoder (XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
---
MS08-053 Windows Media Encoder wmex.dll ActiveX Control Buffer Overflow
Calc execution POC Exploit for WinXP SP2 PRO English / IE6.0 SP2
Found by : Nguyen Minh Duc and Le Manh Tung
Advisory : http://www.microsoft.com/technet/security/Bulletin/MS08-053.mspx
Exploit by : haluznik | haluznikgmail.com
09.10.2008
function poc() {
var shellcode = unescape(
"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949" +
"%u4949%u4949%u4949%u4949%u5a51%u436a%u3058%u3142%u4250%u6b41" +
"%u4142%u4253%u4232%u3241%u4141%u4130%u5841%u3850%u4242%u4875" +
"%u6b69%u4d4c%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f%u6e68%u736b" +
"%u716f%u6530%u6a51
Metasploit
Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
metasploit
Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow
This module exploits a stack buffer overflow in Windows Media Encoder 9. When sending an overly long string to the GetDetailsString() method of wmex.dll an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=122235754013992&w=2http://www.kb.cert.org/vuls/id/996227http://www.securityfocus.com/bid/31065http://www.securitytracker.com/id?1020832http://www.us-cert.gov/cas/techalerts/TA08-253A.htmlhttp://www.vupen.com/english/advisories/2008/2521https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6018https://www.exploit-db.com/exploits/6454http://marc.info/?l=bugtraq&m=122235754013992&w=2http://www.kb.cert.org/vuls/id/996227http://www.securityfocus.com/bid/31065http://www.securitytracker.com/id?1020832http://www.us-cert.gov/cas/techalerts/TA08-253A.htmlhttp://www.vupen.com/english/advisories/2008/2521https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6018https://www.exploit-db.com/exploits/6454
2008-09-11
Published
Exploited in the wild