cbcvebase.
CVE-2010-5299
published 2014-05-23

CVE-2010-5299: Stack-based buffer overflow in MicroP 0.1.1.1600 allows remote attackers to execute arbitrary code via a crafted .mppl file. NOTE: it has been reported that…

PriorityP350medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
33.58%
98.2th percentile
Stack-based buffer overflow in MicroP 0.1.1.1600 allows remote attackers to execute arbitrary code via a crafted .mppl file. NOTE: it has been reported that the overflow is in the lpFileName parameter of the CreateFileA function, but the overflow is probably caused by a separate, unnamed function.

Affected

1 ranges
VendorProductVersion rangeFixed in
microp_projectmicrop

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.mppl
filenameexploit.mppl
filenamebaba.mppl
other0x100145b5 (jmp eax in bass.dll)
other0x10022b63 (call eax from base.dll)
other0x100145B5 (jmp eax, bass.dll)
bytes
\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca
bytes
\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7
  • Malicious .mppl files trigger a stack-based buffer overflow at EIP offset 1276 (Metasploit module) or ~1163–1132 bytes (PoC exploits); detect anomalously large .mppl files or .mppl files containing high-entropy shellcode followed by a RET address.
  • The exploit overwrites the lpFileName parameter of CreateFileA(); monitor for CreateFileA calls where the filename buffer originates from a .mppl file parse and is abnormally long.
  • ROP/return gadget 0x100145B5 (jmp eax) in bass.dll is used as the EIP overwrite target across multiple exploits; flag execution transfers to this address from MicroP's process space.
  • Bad characters for payload encoding are \x00, \x0a, \x0d; shellcode in malicious .mppl files will not contain null bytes, newlines, or carriage returns.
  • The x86/shikata_ga_nai encoder is used on the shellcode payload embedded in the .mppl file; scan .mppl file content for shikata_ga_nai decoder stubs.
  • ·The overflow offset varies across exploit implementations (1276 in the Metasploit module vs. ~1132–1163 in the standalone PoCs), suggesting slight differences in environment or build; detection rules should account for a range of offsets.
  • ·Two different RET gadget addresses are used across exploits (0x100145B5 in bass.dll vs. 0x10022b63 in base.dll), indicating the gadget selection is environment-dependent; both should be monitored.
  • ·The NVD advisory notes the overflow is probably caused by a separate, unnamed function rather than directly in CreateFileA's lpFileName parameter; root-cause tracing should not stop at CreateFileA.
  • ·The exploit is classified as local/file-format (requires the victim to open a crafted .mppl file); it is not a network-reachable vulnerability despite the NVD 'remote attackers' wording.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.