cbcvebase.
CVE-2011-5165
published 2012-09-15

CVE-2011-5165: Stack-based buffer overflow in Free MP3 CD Ripper 1.1, 2.6 and earlier, when converting a file, allows user-assisted remote attackers to execute arbitrary code…

PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.00%
98.3th percentile
Stack-based buffer overflow in Free MP3 CD Ripper 1.1, 2.6 and earlier, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted .wav file.

Affected

3 ranges
VendorProductVersion rangeFixed in
cleanersoftfree_mp3_cd_ripper<= 2.6
cleanersoftfree_mp3_cd_ripper
cleanersoftfree_mp3_cd_ripper

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.wav
other0x66E42A79 (POP ESI in ogg.dll — SEH overwrite target)
other0x1001860b (p/p/r in libFLAC.dll — SEH overwrite target, Windows XP SP3 EN)
other0x76cafa32 (JMP ESP in imagehlp.dll)
other0x7C9D30D7 (EIP overwrite target — OS file, limited to XP targets)
bytes
41 x 4116 bytes (offset to SEH) + EB 06 FF FF (nSEH short jump) + 79 2A E4 66 (SEH: POP ESI ogg.dll @ 0x66E42A79)
bytes
41 x 4112 bytes + 32 FA CA 76 (JMP ESP imagehlp) + 90 x 10 + shellcode
bytes
41 x 4112 bytes + D7 30 9D 7C (EIP 0x7C9D30D7) + 90 x 3 + shellcode
bytes
41 x 4112 bytes + DC 3A B4 76 (RET) + 90 x 15 + shellcode
  • Trigger condition: crafted .wav file opened via the application's 'wav to mp3' converter function causes a stack-based buffer overflow at offset 4112–4116 bytes into the file, overwriting the return address or SEH chain.
  • SEH-based exploitation variant: look for .wav files where bytes 4116–4119 contain a short jump (EB 06 FF FF) followed by a 4-byte SEH handler address — more reliable across Windows 7 and 8 targets than vanilla EIP overwrite.
  • Vanilla EIP overwrite variant: .wav files with 4112 bytes of padding ('A'/0x41) followed by a 4-byte JMP ESP gadget address and NOP sled — targets Windows XP SP2/SP3.
  • Malicious .wav files exploiting this CVE will not conform to valid WAV RIFF chunk structure — the file content is raw binary padding followed by exploit bytes rather than a valid audio container.
  • Bad characters for payload encoding in this vulnerability are \x00, \x0a, \x0d, \x20 — payloads in malicious .wav files should not contain these bytes.
  • The exploited modules are ogg.dll (POP ESI gadget) and libFLAC.dll (POP/POP/RET gadget) loaded by Free MP3 CD Ripper — monitor for abnormal execution originating from these DLLs.
  • ·The 0x7C9D30D7 EIP gadget is OS-specific and does not work on Windows 7; the SEH-based exploit using ogg.dll (0x66E42A79) is required for Windows 7 and 8 targets.
  • ·The Metasploit module target (0x1001860b p/p/r in libFLAC.dll) is specific to Windows XP SP3 English; no other OS targets are defined in that module.
  • ·The vanilla EIP overwrite PoC (0x76cafa32 JMP ESP in imagehlp.dll) was tested only on Windows XP SP2 and may not be reliable on other OS versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.