cbcvebase.
CVE-2011-5172
published 2012-09-15

CVE-2011-5172: Stack-based buffer overflow in StoryBoard Quick 6 Build 3786, and possibly StoryBoard Artist and StoryBoard Studio, allows remote attackers to execute…

PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
6.37%
92.8th percentile
Stack-based buffer overflow in StoryBoard Quick 6 Build 3786, and possibly StoryBoard Artist and StoryBoard Studio, allows remote attackers to execute arbitrary code via a long string in the string element field in a frame xml file.

Affected

1 ranges
VendorProductVersion rangeFixed in
powerproductionstoryboard_quick

Detection & IOCsextracted from sources · hover to see the quote

filenameFrame-001.xml
bytes
\xd9\xcf\xe5\x74
bytes
\x90\xeb\x06\x90
bytes
\x25\x12\xd1\x72
  • Payload is AlphanumMixed encoded with EAX as the buffer register; look for alphanumeric shellcode blobs embedded inside the <ID> XML element of Frame XML files.
  • The SEH overwrite gadget (POP, POP, RETN) is located at address 0x72d11225; this address is specific to the targeted WinXP SP3 No DEP build and can be used as a memory indicator in crash dumps or debugger traces.
  • Malicious Frame XML files will contain an <ID> element padded with 4256 bytes of 0x43 ('C') followed by the NSEH/SEH bytes, making the pattern 'CCCC...CCCC' (4256 chars) detectable via file scanning.
  • ·The exploit targets Windows XP SP3 with no DEP only; the hardcoded SEH gadget address (0x72d11225) is version-specific and will not apply to other OS/patch levels.
  • ·The vulnerability may also affect StoryBoard Artist and StoryBoard Studio, but these were not confirmed at time of disclosure.
  • ·Null bytes (0x00) are bad characters for the payload; any detection signature based on the encoded payload must account for AlphanumMixed encoding excluding null bytes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.