cbcvebase.
CVE-2011-5002
published 2011-12-25

CVE-2011-5002: Multiple stack-based buffer overflows in Final Draft 8 before 8.02 allow remote attackers to execute arbitrary code via a .fdx or .fdxt file with long (1)…

PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.61%
93.8th percentile
Multiple stack-based buffer overflows in Final Draft 8 before 8.02 allow remote attackers to execute arbitrary code via a .fdx or .fdxt file with long (1) Word, (2) Transition, (3) Location, (4) Extension, (5) SceneIntro, (6) TimeOfDay, and (7) Character elements.

Affected

3 ranges
VendorProductVersion rangeFixed in
finaldraftfinaldraft<= 8.01
finaldraftfinaldraft
finaldraftfinaldraft

Detection & IOCsextracted from sources · hover to see the quote

bytes
SEH overwrite: nseh=\x49\x39\x22\x77, seh=\x77\x72\x78 (null terminated)
bytes
Buffer pattern: 0x40 * 7756 bytes + payload + 0x41 * (2268 - payload_length) + nseh + seh
  • The exploit uses AlphanumMixed encoder with EAX as the BufferRegister; look for alphanumeric shellcode blobs embedded inside .fdx XML fields.
  • The SEH overwrite uses the fixed byte sequence \x77\x72\x78 (null-terminated) for the SE handler and \x49\x39\x22\x77 for the nSEH pointer; scanning .fdx files for these byte sequences is a reliable indicator of exploitation.
  • The vulnerable field that accepts mixed-case characters (required for AlphanumMixed encoding) is the primary delivery vector; inspect that specific XML element for anomalously long content.
  • ·The Metasploit module targets Windows only; the payload space is limited to 1024 bytes and null bytes (\x00) are bad characters, constraining usable shellcode.
  • ·The SEH overwrite offsets (7756 bytes of \x40 padding before payload, 2268 bytes of \x41 padding after) are specific to the 'Default' target and may not apply to all Final Draft 8 installations or OS/patch combinations.
  • ·CVE-2011-5002 and CVE-2011-5059 are distinct vulnerabilities in Final Draft 8 (different vulnerable elements), both fixed in version 8.02.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.