cbcvebase.
CVE-2010-1681
published 2010-05-06

CVE-2010-1681: Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office Visio allows user-assisted remote attackers to execute arbitrary code via a crafted DXF…

PriorityP260high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
67.31%
99.2th percentile
Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office Visio allows user-assisted remote attackers to execute arbitrary code via a crafted DXF file, a different vulnerability than CVE-2010-0254 and CVE-2010-0256.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftvisio
microsoftvisio
microsoftvisio

Detection & IOCsextracted from sources · hover to see the quote

filenameVISIODWG.DLL
otherRET 0x6173345c (push esp, ret from VISIODWG.DLL) — Visio 2002 English on Windows XP SP3 Spanish
otherRET 0x60455F6B (push esp, ret from VISLIB.DLL) — Visio 2002 English on Windows XP SP3 English
bytes
|0A 45 4E 44 53 45 43|
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3;)
bytes
\xeb\x20\x90\x90
bytes
\x81\xc4\x48\xf4\xff\xff
  • The overflow is triggered during parsing of the HEADER section of a DXF file, specifically around the $ACADMAINTVER field. Monitor for Visio opening DXF files via Insert -> CAD Drawing with oversized HEADER section content.
  • Malicious DXF files exploit the $ACADMAINTVER header field with oversized data (offset 0x50 to EIP). Inspect DXF files for abnormally long $ACADMAINTVER values.
  • The Snort/ET rule uses flowbit DXF.Ext.Access to track DXF file downloads over HTTP; pair this flowbit with the ENDSEC byte signature (0A 45 4E 44 53 45 43) and a byte_test for values >0x81 to detect exploit delivery.
  • Payload encoder uses ECX as BufferRegister with alphanumeric-only charset; look for alphanumeric shellcode blobs immediately following the $ACADMAINTVER overflow padding in DXF HEADER sections.
  • Stack pivot sequence: push esp / pop ecx (0x54 0x59) followed by a sub instruction to adjust ECX to point to shellcode. Detect this byte pattern in DXF file content.
  • ·The exploit targets only Microsoft Office Visio 2002 (VISIO.EXE v10.0.525.4 / VISIODWG.DLL v10.0.525.4); versions patched by MS10-028 (VISIODWG.DLL >= 10.0.6880.4) are not vulnerable.
  • ·Payload space is limited to 2000 bytes and must be alphanumeric-only (all other bytes are bad chars), which constrains the shellcode that can be delivered.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.