cbcvebase.
CVE-2011-5171
published 2012-09-15

CVE-2011-5171: Multiple stack-based buffer overflows in CyberLink Power2Go 7 (build 196) and 8 (build 1031) allow remote attackers to execute arbitrary code via the (1) src…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
45.79%
98.6th percentile
Multiple stack-based buffer overflows in CyberLink Power2Go 7 (build 196) and 8 (build 1031) allow remote attackers to execute arbitrary code via the (1) src and (2) name parameters in a p2g project file.

Affected

2 ranges
VendorProductVersion rangeFixed in
cyberlinkpower2go
cyberlinkpower2go

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.p2g
pathC:\Program Files\CyberLink\Power2Go8\Power2Go8.exe
  • Detect malformed .p2g project files with an overly long string in the 'name' attribute of the file element — this triggers the SEH overwrite
  • Alert on Power2Go8.exe or WaveEditor.exe spawning child processes or executing shellcode after opening a project file — exploit uses 'migrate -f' post-exploitation auto-run
  • Flag .p2g files where the 'src' or 'name' XML attribute values are abnormally long (hundreds of bytes), as both parameters are vulnerable to stack buffer overflow
  • Detect use of x86/unicode_mixed or x86/alpha_mixed encoder with BufferRegister=EAX or EDX in shellcode delivered via .p2g files
  • ·The Metasploit module targets only Power2Go 8.x with a hardcoded SEH overwrite RET address; Power2Go 7 (build 196) exploitation requires a different offset/gadget
  • ·Payload space is limited to 1024 bytes and null bytes are bad characters, constraining shellcode options
  • ·The PoC was tested on Windows XP SP3 and Windows 7 SP1 only; behavior on other OS versions is unconfirmed
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.