cbcvebase.
CVE-2012-0003
published 2012-01-10

CVE-2012-0003: Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista…

PriorityP181high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.50%
99.3th percentile
Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_xp

Detection & IOCsextracted from sources · hover to see the quote

hash6249ac0674574c7df2f81801a41b85a5
hash9d63609e49e18f87973e66bdbc4236b4
hashd3410dd27ba25c780abcd5c4df573303
hash1a4c84227cbf6da8724699b9b6fbb71b
hashbbc2d8cb3f8ed9a3a5292408d476af14
hashc91703bc8d5509003c1d0a634dcbbd06
hash2b988374bb9c0ac7d04a2999959fa978
hash17145972a2116660580f879ac690315f
hashdf5e0faae726386b7d2ee0fce0bfcbde
hashdd47870ac7970ca8b00080d2626f7e2a
hash72d39c6837503e36b2ccec381e191b78
hashf82fdcd9f1bc2caf0ffa3928648d356d
hashef8e3898330c9c4af29402776544038c
path/baby.mid
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; file.data; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; fast_pattern; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_28, cve CVE_2012_0003, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_08;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; http.uri; content:"/baby.mid"; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_02_07, cve CVE_2012_0003, deployment Perimeter, confidence Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_08;)
bytes
%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c
  • Exploit page contains JavaScript heap-spray strings 'bang()' and 'cloned' alongside the heap-spray unescape pattern %u0c0c%u0c0c — all three appearing together in HTTP response body is a strong indicator of CVE-2012-0003 exploitation.
  • Outbound HTTP request for the URI path /baby.mid is associated with in-the-wild exploitation of MS12-004 (CVE-2012-0003).
  • The exploit delivers a specially crafted MIDI file via the Windows Media Player ActiveX control; heap allocation size is 0x400 bytes (WINMM!winmmAlloc), and the overflow allows a single-byte inc/dec primitive.
  • For IE 8 on XP SP3, the exploit uses a stack pivot ROP gadget at address 0x76C9B4C2 (IMAGEHLP) and targets dispatch destination 0x0c0c1be4; for IE 6/7 on XP SP3 the dispatch destination is 0x0c0c0c0c.
  • The exploit ROP chain is built entirely from msvcr71.dll gadgets; presence of ROP chains referencing msvcr71.dll addresses (e.g. 0x7c347f98, 0x7c376402) in memory or shellcode is indicative.
  • The vulnerability does not trigger when the victim machine is operated via rdesktop — useful for sandboxing/detonation environment design.
  • ·The Metasploit module's IE 8 target supports only two specific MSHTML builds; other patch levels may not be exploitable with this module.
  • ·The ET rule for /baby.mid (sid:2014207) carries a 'confidence Low' metadata tag, meaning it may produce false positives on legitimate MIDI file requests.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.