cbcvebase.
CVE-2011-0500
published 2011-01-20

CVE-2011-0500: Buffer overflow in VideoSpirit Pro 1.6.8.1, 1.68, and earlier; and VideoSpirit Lite 1.4.0.1 and possibly other versions; allows user-assisted remote attackers…

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.71%
98.0th percentile
Buffer overflow in VideoSpirit Pro 1.6.8.1, 1.68, and earlier; and VideoSpirit Lite 1.4.0.1 and possibly other versions; allows user-assisted remote attackers to execute arbitrary code via a VideoSpirit project (.visprj) file containing a valitem element with a long "value" attribute, as demonstrated using a valitem with the mp3 name.

Affected

3 ranges
VendorProductVersion rangeFixed in
verytoolsvideospirit_lite
verytoolsvideospirit_pro<= 1.68
verytoolsvideospirit_pro

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.visprj
filenamexsploited.visprj
other0x1006CC10
other0x100B0B94
  • Exploit uses ROP gadgets exclusively from OverlayPlug.dll (a non-ASLR module) to bypass DEP and ASLR; presence of OverlayPlug.dll ROP chain addresses in a .visprj file is a strong indicator of exploitation
  • Payload offset to EIP control is 168 bytes; offset to ROP chain is 952 bytes within the malicious .visprj value attribute
  • Bad characters to filter/detect in payload within .visprj files: null byte, line feed, and XML-special characters indicating crafted bypass
  • Exploit sets EXITFUNC to 'process', meaning the spawned process will terminate after shellcode execution; monitor for VideoSpirit process spawning unexpected child processes
  • ·The Metasploit module targets a single generic target covering XP, Vista, and Windows 7 using OverlayPlug.dll ROP gadgets; the PoC exploit (exploit-db 15936) targets only Windows XP SP3 English with a different return address (SEH p/p/r in overlayplug.dll)
  • ·Payload space is limited to 800 bytes (0x320) to avoid marking the wrong page as RWX during VirtualProtect ROP; larger shellcode requires adjusting the ROP size gadget at 0x10101330

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.