cbcvebase.
CVE-2009-0182
published 2009-01-20

CVE-2009-0182: Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as…

PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
48.40%
98.7th percentile
Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as demonstrated by an http URL on a File1 line.

Affected

1 ranges
VendorProductVersion rangeFixed in
vuplayervuplayer<= 2.49

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc.wax
filenames.pls
  • Detect malicious .pls playlist files containing an abnormally long URL (>1012 bytes) on a File1= line, consistent with the buffer overflow trigger pattern.
  • Detect VUPlayer opening .wax or .cue files with payloads exceeding 1012 bytes of junk before ROP chain — stack-based overflow in VUPlayer <= 2.49.
  • Monitor for VUPlayer process loading BASS.dll and BASSMIDI.dll with ROP chain execution — these modules are used as no-ASLR gadget sources for DEP bypass.
  • Flag .pls playlist files with a [playlist] header where File1= value contains an HTTP URL longer than typical media paths — exploit uses overflow after 'File1=http://'.
  • Detect known bad characters \x00, \x0a, \x1a being avoided in shellcode — presence of shellcode in .wax/.pls/.cue files that avoids these bytes is a strong exploit indicator.
  • Detect use of mona ROP chain generation targeting BASS.dll and BASSMIDI.dll with bad-char exclusions matching CVE-2009-0182 exploit tooling.
  • This module exploits a stack-based overflow via a specially crafted .cue file in VUPlayer <= 2.49; monitor for VUPlayer process spawning child processes after opening .cue files.
  • ·The ROP gadget addresses (e.g., 0x10015f77, 0x1060e25c) are specific to the versions of BASS.dll and BASSMIDI.dll shipped with VUPlayer 2.49 on Windows 7 x64; they will not be reliable across different builds or OS versions.
  • ·The exploit was tested specifically on Windows 7 x64; DEP bypass via ROP chain may not apply to other Windows versions or configurations where ASLR is enforced on these DLLs.
  • ·The .pls exploit uses a 'Universal Address' approach (NOP sled + shellcode), suggesting the EIP overwrite offset may vary slightly by environment; the 1012-byte junk offset is specific to the .wax variant.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.