cbcvebase.
CVE-2014-0980
published 2014-02-11

CVE-2014-0980: Buffer overflow in Poster Software PUBLISH-iT 3.6d allows remote attackers to execute arbitrary code via a crafted PUI file.

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.36%
98.5th percentile
Buffer overflow in Poster Software PUBLISH-iT 3.6d allows remote attackers to execute arbitrary code via a crafted PUI file.

Affected

1 ranges
VendorProductVersion rangeFixed in
poster_softwarepublish_it

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.pui
filenamemotiv.pui
filenameCVE-2014-0980.pui
urlhttp://www.coresecurity.com/system/files/attachments/2014/02/CORE-2014-0001-publish-it.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31461.zip
registryPublish.EXE
  • Malicious .PUI files begin with the OLE2 compound document magic bytes D0 CF 11 E0 A1 B1 1A E1; alert on Publish-It opening .PUI files with oversized PDATA streams (offset 1082+ bytes before SEH overwrite).
  • The SEH overwrite uses a pop/pop/ret gadget at 0x0046e95a inside Publish.EXE; look for EIP/SEH handler pointing into Publish.EXE .text section around that address.
  • Exploit triggers only when 'Automatic Preview' is enabled in Publish-It; monitor process creation of Publish.EXE spawning child processes or executing shellcode after opening a .PUI file.
  • EIP control value 0x04040404 observed in PoC crash; memory scanning for repeated 0x04 byte patterns in stack region can indicate exploitation attempt.
  • Payload space is 377 bytes; NOP sled of 700 bytes prepended before shellcode in crafted .PUI; heuristic scan for large NOP sleds inside OLE2-structured .PUI files.
  • ·The vulnerability is client-side (locally exploitable); remote exploitation requires social engineering the victim into opening a crafted .PUI file.
  • ·Only Publish-It v3.6d for Win XP and Win 7 were confirmed tested; other versions are likely affected but unverified.
  • ·The SEH exploit variant requires 'Automatic Preview' to be enabled in the application settings to trigger the overflow.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.