CVE-2011-5170
published 2012-09-15CVE-2011-5170: Stack-based buffer overflow in Castillo Bueno Systems CCMPlayer 1.5 allows remote attackers to execute arbitrary code via a long track name in an m3u playlist.
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.97%
98.1th percentile
Stack-based buffer overflow in Castillo Bueno Systems CCMPlayer 1.5 allows remote attackers to execute arbitrary code via a long track name in an m3u playlist.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| castillobueno | ccmplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: CCMPlayer 1.5 opens a .m3u playlist file containing an excessively long track name (offset 0x1000 bytes) that overwrites the SEH exception record, enabling arbitrary code execution. ↗
- →Bad characters to filter/detect in payload within .m3u track name field: null byte, CR, LF, 0x1a, comma, period, colon, backslash (\x00\x0d\x0a\x1a\x2c\x2e\x3a\x5c). ↗
- →The exploit payload uses a negative stack adjustment of -3500 bytes; anomalous stack pointer manipulation of this magnitude in ccmplay.exe processing .m3u files is a strong indicator of exploitation. ↗
- →The SEH overwrite ROP gadget (pop esi / pop ebx / ret) is located at 0x00403ca7 inside ccmplay.exe; a call/jump to this address during .m3u parsing is indicative of exploitation. ↗
- →Exploit payload space is 0x1000 bytes with NOP generation disabled; look for large shellcode blobs embedded directly in .m3u track name fields without NOP sleds. ↗
- →The Metasploit fileformat module for this CVE is windows/fileformat/ccmplayer_m3u_bof; detections should flag creation or delivery of malformed .m3u files targeting CCMPlayer 1.5. ↗
- ·The ROP gadget address (0x00403ca7) is specific to ccmplay.exe in CCMPlayer 1.5 on Windows XP SP3 EN (32-bit); it may need adjustment for other builds or platforms. ↗
- ·The updated Metasploit module (exploit-db 18195) extends target support beyond XP SP3 to Windows Vista and Windows 7, using the same ROP gadget address — verify gadget validity per target OS. ↗
- ·EXITFUNC is set to 'process', meaning the exploit terminates the CCMPlayer process on payload exit; forensic artifacts will reflect a crashed/terminated ccmplay.exe rather than a clean exit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CCMPlayer 1.5 - '.m3u' Stack Buffer Overflow (Metasploit)
exploitdb·2011-12-03
CVE-2011-5170 CCMPlayer 1.5 - '.m3u' Stack Buffer Overflow (Metasploit)
CCMPlayer 1.5 - '.m3u' Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CCMPlayer 1.5 Stack based Buffer Overflow (.m3u)',
'Description' => %q{
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
a m3u playlist with a long track name, a SEH exception record can be overwritten
with parts of the controllable buffer. SEH execution is triggered after an
invalid read of an injectible address, thus allowing arbitrary code execution.
This module works on multiple Windows platforms includin
Exploit-DB
CCMPlayer 1.5 - '.m3u' Stack Buffer Overflow (SEH) (Metasploit)
exploitdb·2011-11-30
CVE-2011-5170 CCMPlayer 1.5 - '.m3u' Stack Buffer Overflow (SEH) (Metasploit)
CCMPlayer 1.5 - '.m3u' Stack Buffer Overflow (SEH) (Metasploit)
---
# Exploit: CCMPlayer 1.5 Stack based Buffer Overflow SEH Exploit (.m3u)
# Date: 30 Nov 2011
# Author: Rh0
# Software: CCMPlayer 1.5
# Tested on: Windows XP SP3 32-Bit EN (VirtualBox)
require 'msf/core'
class Metasploit3 'CCMPlayer 1.5 Stack based Buffer Overflow (.m3u)',
'Description' => %q{
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
a m3u playlist with a long track name, a SEH exception record can be overwritten
with parts of the controllable buffer. SEH execution is triggered after an
invalid read of an injectible address, thus allowing arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' => ['Rh0'], # discovery and metasploit module
'Version' => '0.0',
'References' =>
[
#
Metasploit
CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow
metasploit
CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow
CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an invalid read of an injectable address, thus allowing arbitrary code execution. This module works on multiple Windows platforms including: Windows XP SP3, Windows Vista, and Windows 7.
No writeups or analysis indexed.
http://osvdb.org/77453http://www.exploit-db.com/exploits/18178http://www.exploit-db.com/exploits/18195https://exchange.xforce.ibmcloud.com/vulnerabilities/71573http://osvdb.org/77453http://www.exploit-db.com/exploits/18178http://www.exploit-db.com/exploits/18195https://exchange.xforce.ibmcloud.com/vulnerabilities/71573
2012-09-15
Published