cbcvebase.
CVE-2011-5170
published 2012-09-15

CVE-2011-5170: Stack-based buffer overflow in Castillo Bueno Systems CCMPlayer 1.5 allows remote attackers to execute arbitrary code via a long track name in an m3u playlist.

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.97%
98.1th percentile
Stack-based buffer overflow in Castillo Bueno Systems CCMPlayer 1.5 allows remote attackers to execute arbitrary code via a long track name in an m3u playlist.

Affected

1 ranges
VendorProductVersion rangeFixed in
castillobuenoccmplayer

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.m3u
registry0x00403ca7
commandpop esi / pop ebx / ret (in ccmplay.exe)
  • Trigger condition: CCMPlayer 1.5 opens a .m3u playlist file containing an excessively long track name (offset 0x1000 bytes) that overwrites the SEH exception record, enabling arbitrary code execution.
  • Bad characters to filter/detect in payload within .m3u track name field: null byte, CR, LF, 0x1a, comma, period, colon, backslash (\x00\x0d\x0a\x1a\x2c\x2e\x3a\x5c).
  • The exploit payload uses a negative stack adjustment of -3500 bytes; anomalous stack pointer manipulation of this magnitude in ccmplay.exe processing .m3u files is a strong indicator of exploitation.
  • The SEH overwrite ROP gadget (pop esi / pop ebx / ret) is located at 0x00403ca7 inside ccmplay.exe; a call/jump to this address during .m3u parsing is indicative of exploitation.
  • Exploit payload space is 0x1000 bytes with NOP generation disabled; look for large shellcode blobs embedded directly in .m3u track name fields without NOP sleds.
  • The Metasploit fileformat module for this CVE is windows/fileformat/ccmplayer_m3u_bof; detections should flag creation or delivery of malformed .m3u files targeting CCMPlayer 1.5.
  • ·The ROP gadget address (0x00403ca7) is specific to ccmplay.exe in CCMPlayer 1.5 on Windows XP SP3 EN (32-bit); it may need adjustment for other builds or platforms.
  • ·The updated Metasploit module (exploit-db 18195) extends target support beyond XP SP3 to Windows Vista and Windows 7, using the same ROP gadget address — verify gadget validity per target OS.
  • ·EXITFUNC is set to 'process', meaning the exploit terminates the CCMPlayer process on payload exit; forensic artifacts will reflect a crashed/terminated ccmplay.exe rather than a clean exit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.