CVE-2006-6063

XMPlay < 3.3.0.5 - Stack-Based Buffer Overflow via M3U File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2006-6063. PoCs published by Metasploit, Greg Linares, including Metasploit module exploits/windows/browser/xmplay_asx.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in XMPlay 3.3.0.4 via an overly long filename in an ASX playlist file. It delivers a payload encoded with alphanumeric upper characters to achieve remote code execution.

Description

Stack-based buffer overflow in Un4seen XMPlay 3.3.0.5 and earlier allows remote attackers to execute arbitrary code via a M3U file containing a long (1) FileName, and cause a crash via a long (2) DisplayName.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16556

This Metasploit module exploits a stack buffer overflow in XMPlay 3.3.0.4 via an overly long filename in an ASX playlist file. It delivers a payload encoded with alphanumeric upper characters to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XMPlay 3.3.0.4
No auth needed
Prerequisites: Victim must open a malicious ASX file via XMPlay
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Greg Linares · clocalwindows
https://www.exploit-db.com/exploits/2824

This exploit leverages a stack-based buffer overflow in XMPlay 3.3.0.4 by crafting a malicious .ASX file with an overly long filename, leading to arbitrary code execution (CALC.exe) via embedded shellcode. It includes multiple JMP ESP addresses for different Windows versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XMPlay 3.3.0.4 and prior
No auth needed
Prerequisites: Victim must open the malicious .ASX file in XMPlay
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Greg Linares · clocalwindows
https://www.exploit-db.com/exploits/2815

This exploit targets a stack-based buffer overflow in XMPlay 3.3.0.4 by crafting a malicious .M3U file. It uses a JMP ESP address from user32.dll to redirect execution to shellcode that launches calc.exe.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XMPlay 3.3.0.4 and prior
No auth needed
Prerequisites: Victim must open the malicious .M3U file in XMPlay
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/xmplay_asx.rb

This Metasploit module exploits a stack buffer overflow in XMPlay 3.3.0.4 by crafting an ASX playlist file with an overly long filename, leading to arbitrary code execution. The exploit uses SEH overwrites and alphanumeric encoding to bypass bad characters.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: XMPlay 3.3.0.4
No auth needed
Prerequisites: Victim must open a malicious ASX file via HTTP server
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21206
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4636
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/2815
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30436
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22999

Scores

EPSS 0.5623
EPSS Percentile 98.9%

Details

Status published
Products (1)
un4seen/xmplay < 3.3.0.5
Published Nov 22, 2006
Tracked Since Feb 18, 2026