cbcvebase.
CVE-2008-5036
published 2008-11-10

CVE-2008-5036: Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid…

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.44%
98.5th percentile
Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
debianvlc< vlc 1.0.3-1 (bookworm)vlc 1.0.3-1 (bookworm)
debianvlc< vlc 0.8.6.h-5 (bookworm)vlc 0.8.6.h-5 (bookworm)
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player

Detection & IOCsextracted from sources · hover to see the quote

filenames.rt
filenamemsf.rt
registry0x7c9d30d7
other0x68f0cfad (jmp esp, libqt4_plugin.dll)
other0x695d5890 (WritableAddress, libqt4_plugin.dll .data)
pathmodules/demux/subtitle.c
bytes
\x81\xc4\x54\xf2\xff\xff (add esp, -3500 stack adjustment prepended to payload)
  • The exploit generates two files: a benign-looking .mp4 lure and a malicious .rt subtitle file; both must be present in the same directory for exploitation.
  • Overflow is triggered inside ParseRealText in modules/demux/subtitle.c; monitor VLC process for stack corruption when parsing .rt files.
  • Bad characters for payload encoding are null byte, double-quote, and newline (\x00\x22\x0a); encoded shellcode in .rt files will avoid these bytes.
  • Stack adjustment stub \x81\xc4\x54\xf2\xff\xff (add esp, -3500) prepended to shellcode; presence in a .rt file is a strong exploit indicator.
  • Affected versions are VLC 0.9.x before 0.9.6; detection should flag VLC versions 0.9.0–0.9.5 parsing .rt subtitle files.
  • ·The RealText return address 0x68f0cfad (jmp esp in libqt4_plugin.dll) is specific to VLC 0.9.4 on Windows XP SP3 and Windows 7 SP1; different builds require different gadget addresses.
  • ·The standalone PoC uses 0x7c9d30d7 (jmp esp in shell32.dll) which is Windows XP SP3-specific; other OS versions require locating a different jmp esp gadget.
  • ·CVE-2008-5036 was split from CVE-2008-5032; CVE-2008-5032 covers the CUE/VCD cdrom.c overflow, while CVE-2008-5036 covers only the RealText subtitle ParseRealText overflow.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.