cbcvebase.
CVE-2010-0480
published 2010-04-14

CVE-2010-0480: Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and…

PriorityP178critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
67.89%
99.2th percentile
Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to execute arbitrary code via a crafted AVI file, aka "MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenamel3codecx.ax
filenameCVE-2010-0480.avi
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15096.zip
versionl3codeca.acm 1-9-0-306
otherRet => 0x72000000 (.NET DLL mapped base address for shellcode)
bytes
\x00\xff\xff\xff (nSamplesPerSecField at offset 4428 in AVI)
bytes
73 74 72 66 (strf chunk marker)
bytes
93 00 00 00 (MPEG Layer-3 codec identifier at distance:8 within:4 of strf)
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow"; flow:established,to_client; flowbits:isset,ET.AVI.RIFF.Chunk; content:"|73 74 72 66|"; content:"|93 00 00 00|"; distance:8; within:4; reference:cve,2010-0480; reference:url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/; reference:url,www.exploit-db.com/exploits/14895/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx; classtype:attempted-user; sid:2012143; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_05, cve CVE_2010_0480, deployment Perimeter, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_07_26;)
bytes
\xEB\x6B\x5A\x31\xC9\x6A\x10\x52\x42\x52\x51\xFF\xD0\x53\x68\x7E\xD8\xE2\x73\xFF\xD6\x6A\x00\xFF\xD0\xFF\xD7\x50\x68\xA8\xA2\x4D\xBC\xFF\xD6 (shellcode stub)
  • Detect crafted AVI files delivered over HTTP by matching the RIFF/AVI strf chunk (|73 74 72 66|) followed at distance 8 by the MPEG Layer-3 codec tag |93 00 00 00|; the Emerging Threats flowbit ET.AVI.RIFF.Chunk must be set first.
  • The exploit patches the nSamplesPerSecField in the AVI stream header at file offset 4428 with the value \x00\xff\xff\xff to trigger the division-by-zero / overflow condition; AVI files with this value at that field offset should be flagged.
  • The vulnerable component is l3codeca.acm version 1.9.0.306; presence of this file version on a host indicates an unpatched system susceptible to CVE-2010-0480.
  • The .NET DLL memory-mapping technique loads shellcode at base address 0x72000000; memory forensics or crash dumps showing EIP/shellcode near this address are indicative of exploitation.
  • ·On IE 8 targets the malicious URL must be in the browser's Trusted Sites zone for the .NET control to load; exploitation will silently fail against IE 8 without this precondition.
  • ·The overflow only overwrites the three least-significant bytes of the saved EIP with 0x00; standard ROP/ret2libc techniques do not apply — exploitation relies on the .NET DLL memory-mapping technique to place shellcode at a predictable address.
  • ·The Metasploit module requires .NET CLR to be installed on the target; without it the exploit will not function.
  • ·The shellcode embedded in exploit.dll must not exceed 735 bytes; the exploit generator will abort if this limit is exceeded.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.