CVE-2011-5052
published 2012-01-04CVE-2011-5052: Stack-based buffer overflow in CoCSoft Stream Down 6.8.0 allows remote web servers to execute arbitrary code via a long response to a download request.
PriorityP349medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
30.07%
98.0th percentile
Stack-based buffer overflow in CoCSoft Stream Down 6.8.0 allows remote web servers to execute arbitrary code via a long response to a download request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cocsoft | stream_down | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
nseh = "\xeb\x06\x90\x90"
- →Detect HTTP responses with a payload buffer of 16388 bytes of 'A' characters followed by the nSEH jump bytes \xeb\x06\x90\x90 — this is the exact exploit buffer layout for CVE-2011-5052. ↗
- →The exploit triggers via a malicious HTTP server response (not a client request), so monitor outbound download connections from CoCSoft StreamDown 6.8.0 processes for oversized server responses. ↗
- →The SEH record at 0x10019448 is overwritten during exploitation; memory forensics or crash dumps showing EIP/SEH pointing to this address indicate active exploitation. ↗
- →Bad characters for payload encoding are \x00, \xff, and \x0a — payloads embedded in exploit traffic will not contain these bytes. ↗
- →The Metasploit module uses EXITFUNC=seh and auto-migrates the meterpreter process; post-exploitation process migration activity from StreamDown.exe is a strong indicator of compromise. ↗
- ·The exploit was tested only against Windows XP SP3 and Windows 7 SP1; the hardcoded SEH gadget address (0x10019448) is version-specific and may not apply to other OS/patch combinations. ↗
- ·When a Meterpreter reverse TCP payload is used, the target application does not crash, making crash-based detection ineffective for that payload type. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CoCSoft Stream Down 6.8.0 - Universal (Metasploit)
exploitdb·2011-12-27
CVE-2011-5052 CoCSoft Stream Down 6.8.0 - Universal (Metasploit)
CoCSoft Stream Down 6.8.0 - Universal (Metasploit)
---
##
# $Id: stream_down_BOF.rb 1 2011-12-18 $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'StreamDown Buffer over flow universal exploit',
'Version' => '$Revision: 1 $',
'Description' => 'Stream Down Buffer Overflow universal exploit tested against win xp sp3 and win7 sp1. Also note that the program will not crash in case of meterpreter reverse tcp payload but a session will be opened',
'Author' => 'Fady Mohamed Osman',
'References' =>
[
['URL', 'http://www.dark-masters.tk/']
],
'Privil
Metasploit
CoCSoft StreamDown 6.8.0 Buffer Overflow
metasploit
CoCSoft StreamDown 6.8.0 Buffer Overflow
CoCSoft StreamDown 6.8.0 Buffer Overflow
Stream Down 6.8.0 seh based buffer overflow triggered when processing the server response packet. During the overflow a structured exception handler is overwritten.
No writeups or analysis indexed.
http://osvdb.org/78043http://secunia.com/advisories/47343http://www.exploit-db.com/exploits/18283https://exchange.xforce.ibmcloud.com/vulnerabilities/72009http://osvdb.org/78043http://secunia.com/advisories/47343http://www.exploit-db.com/exploits/18283https://exchange.xforce.ibmcloud.com/vulnerabilities/72009
2012-01-04
Published