CVE-2011-5002
published 2011-12-25CVE-2011-5002: Multiple stack-based buffer overflows in Final Draft 8 before 8.02 allow remote attackers to execute arbitrary code via a .fdx or .fdxt file with long (1)…
PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.61%
93.8th percentile
Multiple stack-based buffer overflows in Final Draft 8 before 8.02 allow remote attackers to execute arbitrary code via a .fdx or .fdxt file with long (1) Word, (2) Transition, (3) Location, (4) Extension, (5) SceneIntro, (6) TimeOfDay, and (7) Character elements.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| finaldraft | finaldraft | <= 8.01 | — |
| finaldraft | finaldraft | — | — |
| finaldraft | finaldraft | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
SEH overwrite: nseh=\x49\x39\x22\x77, seh=\x77\x72\x78 (null terminated)
bytes↗
Buffer pattern: 0x40 * 7756 bytes + payload + 0x41 * (2268 - payload_length) + nseh + seh
- →The exploit uses AlphanumMixed encoder with EAX as the BufferRegister; look for alphanumeric shellcode blobs embedded inside .fdx XML fields. ↗
- →The SEH overwrite uses the fixed byte sequence \x77\x72\x78 (null-terminated) for the SE handler and \x49\x39\x22\x77 for the nSEH pointer; scanning .fdx files for these byte sequences is a reliable indicator of exploitation. ↗
- →The vulnerable field that accepts mixed-case characters (required for AlphanumMixed encoding) is the primary delivery vector; inspect that specific XML element for anomalously long content. ↗
- ·The Metasploit module targets Windows only; the payload space is limited to 1024 bytes and null bytes (\x00) are bad characters, constraining usable shellcode. ↗
- ·The SEH overwrite offsets (7756 bytes of \x40 padding before payload, 2268 bytes of \x41 padding after) are specific to the 'Default' target and may not apply to all Final Draft 8 installations or OS/patch combinations. ↗
- ·CVE-2011-5002 and CVE-2011-5059 are distinct vulnerabilities in Final Draft 8 (different vulnerable elements), both fixed in version 8.02. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fx4x-ppc2-pxxf: Multiple stack-based buffer overflows in Final Draft 8 before 8
ghsa_unreviewed·2022-05-17
CVE-2011-5002 [HIGH] CWE-119 GHSA-fx4x-ppc2-pxxf: Multiple stack-based buffer overflows in Final Draft 8 before 8
Multiple stack-based buffer overflows in Final Draft 8 before 8.02 allow remote attackers to execute arbitrary code via a .fdx or .fdxt file with long (1) Word, (2) Transition, (3) Location, (4) Extension, (5) SceneIntro, (6) TimeOfDay, and (7) Character elements.
GHSA
GHSA-96xj-mp8p-wcfp: Stack-based buffer overflow in Final Draft 8 before 8
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2011-5059 [CRITICAL] CWE-119 GHSA-96xj-mp8p-wcfp: Stack-based buffer overflow in Final Draft 8 before 8
Stack-based buffer overflow in Final Draft 8 before 8.02 allows remote attackers to execute arbitrary code via a crafted SmartType element, a different vulnerability than CVE-2011-5002. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/77454http://secunia.com/advisories/47044http://www.exploit-db.com/exploits/18184http://www.security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdfhttp://www.securityfocus.com/bid/50850http://osvdb.org/77454http://secunia.com/advisories/47044http://www.exploit-db.com/exploits/18184http://www.security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdfhttp://www.securityfocus.com/bid/50850
2011-12-25
Published