cbcvebase.
CVE-2011-5052
published 2012-01-04

CVE-2011-5052: Stack-based buffer overflow in CoCSoft Stream Down 6.8.0 allows remote web servers to execute arbitrary code via a long response to a download request.

PriorityP349medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
30.07%
98.0th percentile
Stack-based buffer overflow in CoCSoft Stream Down 6.8.0 allows remote web servers to execute arbitrary code via a long response to a download request.

Affected

1 ranges
VendorProductVersion rangeFixed in
cocsoftstream_down

Detection & IOCsextracted from sources · hover to see the quote

versionCoCSoft Stream Down 6.8.0
otherSEH overwrite address: 0x10019448
bytes
nseh = "\xeb\x06\x90\x90"
  • Detect HTTP responses with a payload buffer of 16388 bytes of 'A' characters followed by the nSEH jump bytes \xeb\x06\x90\x90 — this is the exact exploit buffer layout for CVE-2011-5052.
  • The exploit triggers via a malicious HTTP server response (not a client request), so monitor outbound download connections from CoCSoft StreamDown 6.8.0 processes for oversized server responses.
  • The SEH record at 0x10019448 is overwritten during exploitation; memory forensics or crash dumps showing EIP/SEH pointing to this address indicate active exploitation.
  • Bad characters for payload encoding are \x00, \xff, and \x0a — payloads embedded in exploit traffic will not contain these bytes.
  • The Metasploit module uses EXITFUNC=seh and auto-migrates the meterpreter process; post-exploitation process migration activity from StreamDown.exe is a strong indicator of compromise.
  • ·The exploit was tested only against Windows XP SP3 and Windows 7 SP1; the hardcoded SEH gadget address (0x10019448) is version-specific and may not apply to other OS/patch combinations.
  • ·When a Meterpreter reverse TCP payload is used, the target application does not crash, making crash-based detection ineffective for that payload type.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.