cbcvebase.
CVE-2011-0499
published 2011-01-20

CVE-2011-0499: Buffer overflow in VideoSpirit Pro 1.6.8.1 and possibly earlier versions, and VideoSpirit Lite 1.4.0.1 and possibly other versions, allows user-assisted remote…

PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.05%
98.0th percentile
Buffer overflow in VideoSpirit Pro 1.6.8.1 and possibly earlier versions, and VideoSpirit Lite 1.4.0.1 and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via a VideoSpirit project (.visprj) file containing a valitem element with a long "name" attribute. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Affected

3 ranges
VendorProductVersion rangeFixed in
verytoolsvideospirit_lite<= 1.4.0.1
verytoolsvideospirit_pro<= 1.6.8.1
verytoolsvideospirit_pro

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.visprj
filenamexsploited.visprj
other0x1006CC10 (overlayplug.dll stackpivot)
other0x100B0B94 (overlayplug.dll pop/pop/ret)
bytes
\x00\x0a\x0b\x0c\x0d\x0e\x0f\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x26\x27\x2f\x3c\x3e
bytes
\xEB\x06\x90\x90 (short jmp + NOP sled SEH overwrite)
  • ROP chain and stack pivot rely entirely on overlayplug.dll (non-ASLR module); presence of overlayplug.dll ROP gadget addresses in memory or on-disk shellcode is a strong indicator of exploitation.
  • Exploit offset to EIP/ROP is 168 bytes; offset to ROP chain is 952 bytes within the malicious .visprj payload.
  • Exploit terminates via EXITFUNC=process; spawned process will not persist after payload execution.
  • ·The Metasploit module targets Windows XP/Vista/Win7 generically using a single non-ASLR module (overlayplug.dll) for DEP and ASLR bypass; the exploit does not work if overlayplug.dll is absent or updated.
  • ·Payload space is constrained to 800 bytes (0x320) to avoid marking the wrong page as RWX during VirtualProtect ROP chain execution.
  • ·The PoC exploit for v1.68 was tested only on Windows XP SP3 English; behavior on other OS versions or service packs is not confirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.