cbcvebase.
CVE-2011-2595
published 2011-09-14

CVE-2011-2595: Multiple stack-based buffer overflows in ACDSee FotoSlate 4.0 Build 146 allow remote attackers to execute arbitrary code via a long id parameter in a (1)…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.28%
99.0th percentile
Multiple stack-based buffer overflows in ACDSee FotoSlate 4.0 Build 146 allow remote attackers to execute arbitrary code via a long id parameter in a (1) String or (2) Int tag in a FotoSlate Project (aka PLP) file.

Affected

1 ranges
VendorProductVersion rangeFixed in
acdseefotoslate

Detection & IOCsextracted from sources · hover to see the quote

other0x263a5b57
filenamemsf.plp
otheripwssl6.dll
  • Malicious PLP files exploit a long `id` parameter inside a `String` or `Int` XML tag; look for PLP files with an `id` attribute value exceeding 1812 bytes.
  • The exploit uses a SEH-based overflow with a pop/pop/ret gadget at 0x263a5b57 in ipwssl6.dll; monitor for FotoSlate loading ipwssl6.dll and execution redirecting to that address.
  • The exploit requires a total buffer length of 5000 bytes with an overflow offset of 1812 bytes; PLP files with `id` parameters of this length targeting FotoSlate 4.0 Build 146 are suspicious.
  • Bad characters for payload are null bytes and double-quotes; shellcode in malicious PLP files will not contain \x00 or \x22.
  • After SEH overwrite, approximately 9155 bytes of payload space are available; large shellcode buffers following the SEH record in a PLP file are indicative of exploitation.
  • ·The exploit targets only ACDSee FotoSlate 4.0 Build 146; the ROP gadget address (0x263a5b57 in ipwssl6.dll) and offset (1812) are specific to this build and will not work against other versions.
  • ·The Metasploit module sets EXITFUNC to 'process' and disables the payload handler by default; deployed payloads will not call back to a handler unless reconfigured.
  • ·The exploit has been tested on Windows XP SP3, Windows Vista, and Windows 7 only; reliability on other platforms is unknown.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.