CVE-2011-5172
published 2012-09-15CVE-2011-5172: Stack-based buffer overflow in StoryBoard Quick 6 Build 3786, and possibly StoryBoard Artist and StoryBoard Studio, allows remote attackers to execute…
PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
6.37%
92.8th percentile
Stack-based buffer overflow in StoryBoard Quick 6 Build 3786, and possibly StoryBoard Artist and StoryBoard Studio, allows remote attackers to execute arbitrary code via a long string in the string element field in a frame xml file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| powerproduction | storyboard_quick | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xd9\xcf\xe5\x74
bytes↗
\x90\xeb\x06\x90
bytes↗
\x25\x12\xd1\x72
- →Payload is AlphanumMixed encoded with EAX as the buffer register; look for alphanumeric shellcode blobs embedded inside the <ID> XML element of Frame XML files. ↗
- →The SEH overwrite gadget (POP, POP, RETN) is located at address 0x72d11225; this address is specific to the targeted WinXP SP3 No DEP build and can be used as a memory indicator in crash dumps or debugger traces. ↗
- →Malicious Frame XML files will contain an <ID> element padded with 4256 bytes of 0x43 ('C') followed by the NSEH/SEH bytes, making the pattern 'CCCC...CCCC' (4256 chars) detectable via file scanning. ↗
- ·The exploit targets Windows XP SP3 with no DEP only; the hardcoded SEH gadget address (0x72d11225) is version-specific and will not apply to other OS/patch levels. ↗
- ·The vulnerability may also affect StoryBoard Artist and StoryBoard Studio, but these were not confirmed at time of disclosure. ↗
- ·Null bytes (0x00) are bad characters for the payload; any detection signature based on the encoded payload must account for AlphanumMixed encoding excluding null bytes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/47045http://www.exploit-db.com/exploits/18186http://www.security-assessment.com/files/documents/advisory/Storyboard_Quick6-Stack_Buffer_Overflow.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/71574http://secunia.com/advisories/47045http://www.exploit-db.com/exploits/18186http://www.security-assessment.com/files/documents/advisory/Storyboard_Quick6-Stack_Buffer_Overflow.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/71574
2012-09-15
Published