cbcvebase.
CVE-2008-5664
published 2008-12-19

CVE-2008-5664: Stack-based buffer overflow in Realtek Media Player (aka Realtek Sound Manager, RtlRack, or rtlrack.exe) 1.15.0.0 allows remote attackers to execute arbitrary…

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.23%
98.3th percentile
Stack-based buffer overflow in Realtek Media Player (aka Realtek Sound Manager, RtlRack, or rtlrack.exe) 1.15.0.0 allows remote attackers to execute arbitrary code via a crafted playlist (PLA) file.

Affected

1 ranges
VendorProductVersion rangeFixed in
realtekrealtek_media_player

Detection & IOCsextracted from sources · hover to see the quote

filenamertlrack.exe
filenameexploit.pla
urlftp://152.104.238.19/pc/audio/AP_A406.exe
urlftp://202.65.194.212/pc/audio/AP_A406.exe
urlftp://66.104.77.130/pc/audio/AP_A406.exe
ip152.104.238.19
ip202.65.194.212
ip66.104.77.130
other0x72d12899 (msacm32.drv 5.1.2600.0 RET address)
bytes
EIP = \xEB\xBA\x3F\x7E (call ESP from user32.dll)
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30...
  • Malicious payload is delivered via a crafted .PLA (playlist) file; monitor for rtlrack.exe opening PLA files from untrusted/remote sources.
  • Exploit buffer uses 220 bytes of 0x41 ('A') padding before EIP overwrite; look for anomalously large, repetitive-byte PLA file content.
  • EIP overwrite uses a 'call ESP' gadget from user32.dll at address 0x7E3FBAE8; presence of this return address in crash dumps or exploit traffic is a strong indicator.
  • Metasploit module uses rand_text_alpha_upper(200) as the overflow buffer and targets msacm32.drv RET 0x72d12899; network delivery via HTTP with Content-Type text/plain should be monitored.
  • Payload space is 550 bytes with null byte as only bad character; shellcode immediately follows NOP sled of 12 bytes after EIP overwrite.
  • Vulnerable application version is RtlRack A4.06 / rtlrack.exe 1.15.0.0; presence of this binary version on a host indicates an unpatched system.
  • ·The PoC EIP gadget (0x7E3FBAE8 / call ESP in user32.dll) and the Metasploit RET address (0x72d12899 in msacm32.drv) are version- and OS-specific; they apply only to Windows XP Pro with the exact DLL versions referenced.
  • ·The standalone PoC was tested only on Windows XP Pro SP3 Italian; reliability on other SP levels or locales is not confirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.