cbcvebase.
CVE-2010-5081
published 2011-12-25

CVE-2010-5081: Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1 allows remote attackers to execute arbitrary code via a long URL in a .pls file.

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.37%
98.1th percentile
Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1 allows remote attackers to execute arbitrary code via a long URL in a .pls file.

Affected

1 ranges
VendorProductVersion rangeFixed in
mini-streamrm-mp3_converter

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.pls
other0x100371f5
pathMSRMfilter03.dll
commandhttp:// + 17417 bytes junk + RET (call ESP in MSRMfilter03.dll) + 8 bytes padding + payload
bytes
\xCF\xDA\x05\x10
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff
  • Malicious .pls file contains a URL field starting with 'http://' followed by ~17417+ bytes of junk, triggering a stack buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1
  • Look for abnormally large URL entries (>17000 bytes) inside .pls playlist files as an indicator of exploitation attempt
  • ROP/return address 0x100371f5 (call ESP) in MSRMfilter03.dll at offset 17417 within the .pls URL field is the exploit pivot point; monitor for this value in memory or file content
  • Alternative RET address 0x1005DACF (\xCF\xDA\x05\x10, jump to ESP from msrmfilter03.dll) used in the universal PoC; scan .pls files for this byte sequence
  • Payload uses AlphanumUpper encoder with ECX as BufferRegister; encoded shellcode in .pls URL will be entirely uppercase alphanumeric — look for long runs of uppercase ASCII bytes after the RET address
  • PrependEncoder stub bytes EB 03 59 EB 05 E8 F8 FF FF FF appear immediately before the alphanumeric shellcode in Metasploit-generated payloads for this exploit
  • Bad characters for this exploit are \x00, \x09, \x0a (null, tab, newline); absence of these bytes in an otherwise long URL within a .pls file is consistent with crafted exploit content
  • ·Two different RET addresses are used across PoCs for the same DLL (MSRMfilter03.dll): 0x100371f5 (Metasploit module) vs 0x1005DACF (universal PoC by Madjix). Detection rules should cover both.
  • ·The Metasploit module uses offset 17417 while the universal PoC uses 17425 bytes of junk before the RET address; both target the same vulnerability but differ slightly in buffer layout.
  • ·The exploit is classified as local/fileformat (victim must open a crafted .pls file); there is no network-based delivery vector inherent to the vulnerability itself.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.