cbcvebase.
CVE-2010-2343
published 2010-06-21

CVE-2010-2343: Stack-based buffer overflow in D.R. Software Audio Converter 8.1, 2007, and 8.05 allows remote attackers to execute arbitrary code via a crafted pls playlist…

PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.73%
98.3th percentile
Stack-based buffer overflow in D.R. Software Audio Converter 8.1, 2007, and 8.05 allows remote attackers to execute arbitrary code via a crafted pls playlist file.

Affected

3 ranges
VendorProductVersion rangeFixed in
dennisreaudio_converter
dennisreaudio_converter
dennisreaudio_converter

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc.pls
filenamenewaudio.pls
filenameeasy.pls
filenamemsf.pls
registryaudconv.dll 7.0.815.0
bytes
\xF1\x8E\x03\x10
bytes
\x70\x80\x08\x10
bytes
\x2F\x37\x01\x10
bytes
\x81\xc4\x54\xf2\xff\xff
bytes
\xeb\x06\x90\x90
bytes
\xEB\x06\xEB\x06
  • Trigger is a crafted .PLS playlist file with an overlong string (>1108 bytes for Easy CD-DA Recorder; >4432 bytes for Audio Converter 8.1) in a playlist entry that overwrites the SEH chain.
  • SEH overwrite occurs at offset 4432 bytes in Audio Converter 8.1; monitor for abnormally large .PLS files opened by audioconv/easycdda processes.
  • SEH overwrite occurs at offset 1108 bytes in Easy CD-DA Recorder 2007; the SEH handler is overwritten with a pop-pop-ret gadget from audconv.dll.
  • ROP chain uses gadgets exclusively from audconv.dll and easycdda.exe; presence of ROP gadget addresses from audconv.dll (base 0x10000000) on the stack is a strong indicator of exploitation.
  • Bad characters for payload encoding are 0x0a and 0x3d; encoded shellcode will not contain newline (0x0a) or equals-sign (0x3d) bytes.
  • The exploit appends a large block of junk (10000 bytes) after the SEH overwrite to generate the exception; .PLS files significantly larger than 14 KB targeting these applications are suspicious.
  • VirtualProtect() IAT address 0x0042a0e0 from easycdda.exe is used in the ROP chain for DEP bypass; look for this address value on the stack during exception handling in easycdda.exe.
  • ·The SEH pop-pop-ret gadget address differs between the two affected applications: 0x1008F1F1 (audioconv) vs 0x10088070 (audconv.dll in Easy CD-DA Recorder); detection rules targeting specific gadget addresses must account for both.
  • ·The Metasploit module targets only 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)' with a single target offset (1108); exploits against other OS/SP combinations may use different offsets and gadgets.
  • ·The ROP/WPM variant (EDB-13763) uses WriteProcessMemory (WPM) at 0x7C80221 for DEP bypass instead of VirtualProtect, so DEP-bypass detection logic must cover both WPM and VirtualProtect ROP chains.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.