cbcvebase.
CVE-2011-5162
published 2012-09-15

CVE-2011-5162: Stack-based buffer overflow in GOM Player 2.1.33.5071 allows user-assisted remote attackers to execute arbitrary code via a .ASX file with a long URI in the…

PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
6.85%
93.2th percentile
Stack-based buffer overflow in GOM Player 2.1.33.5071 allows user-assisted remote attackers to execute arbitrary code via a .ASX file with a long URI in the "ref href" tag. NOTE: this issue exists because of a CVE-2007-0707 regression.

Affected

1 ranges
VendorProductVersion rangeFixed in
gomlabgom_player

Detection & IOCsextracted from sources · hover to see the quote

versionGOM Player 2.1.33.5071
filenameLIST.asx
commandPPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJAIAIABababQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBvz5tz9ptkthtPZOCI95hVsXKliqqVQNR4CUrm4p1pBlSm32qFxhK1dGymgtBT7KaWXZUKNKDhyKwRD3M4kIgjNWcoPbSw2Vg9C8qpkJHPTWONmGWC5QaNrRktfZsLnvqZZxsLOmJlOl5oXmvWpdgKQzmR3pXKuPSPhNy9YXXVpMQ4LknUTeKronnLU5GYH3FKm9oL8bgzRHcEuHN1o6wUn6quYo9Mn7pUEZFjaxMkkkFMvHii3tM7Liz0yTVM6RQeUKceKvqNNsS3OK0Wsr2LKHnMxzpNsL2noxujOJn7khxOO1wuOWnSkXLQ4sNEm3xNK3OwmMDBsKuf5DvgPOlXtwljwJLqruILX8ntLu940wojgQ6kVIPXMNCL8vJnlJeRqcBLELTKLu48sNz8yLFZVo2KNLWPsKw6ZeOBOnuyC1ef0uz7dQOzSrmPFKSZTA
  • Trigger condition is a .ASX file containing a long URI value within a 'ref href' tag; monitor file-open events in GOM Player for .ASX files with oversized href attributes.
  • The exploit uses a Unicode-safe (venetian) shellcode encoding pattern beginning with 'PPYAIAIAIAIA'; scan .ASX file content for this byte sequence as a malicious payload indicator.
  • Buffer size of 2046 characters in the href URI triggers the stack overflow; alert on .ASX files where any single attribute value exceeds ~2000 characters.
  • The crafted file is delivered as a .ASX playlist; inspect files with .ASX extension opened by GOM Player (GOM.exe) for anomalously large ref href values.
  • ·This vulnerability is a regression of CVE-2007-0707, meaning the same class of .ASX ref href overflow was previously patched and reintroduced; detection rules for CVE-2007-0707 may also apply here.
  • ·Exploit was tested only on Windows XP SP2; behaviour on later Windows versions (with ASLR/DEP) may differ and the provided shellcode may not execute reliably.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.