cbcvebase.
CVE-2009-0476
published 2009-02-08

CVE-2009-0476: Stack-based buffer overflow in MultiMedia Soft AdjMmsEng.dll 7.11.1.0 and 7.11.2.7, as distributed in multiple MultiMedia Soft audio components for .NET…

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.04%
98.3th percentile
Stack-based buffer overflow in MultiMedia Soft AdjMmsEng.dll 7.11.1.0 and 7.11.2.7, as distributed in multiple MultiMedia Soft audio components for .NET, allows remote attackers to execute arbitrary code via a long string in a playlist (.pls) file, as originally reported for Euphonics Audio Player 1.0. NOTE: some of these details are obtained from third party information.

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.pls
registry.pls extension registered to Audiotran
other0x10101A3E (p/p/r in rsaadjd.tmp)
other0x735275CB (p/p/r in msvbvm60.dll)
other0x100FA3CB (jmp esp from AdjMmsEng.dll)
other0x7C86467B (jmp esp, Windows XP SP3)
pathAdjMmsEng.dll
bytes
\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0D\x0A\x46\x69\x6C\x65\x31\x3D
  • Overflow trigger offset is 1308 bytes before SEH overwrite in Audiotran 1.4.1; monitor for .pls files with anomalously long strings exceeding this length.
  • Overflow trigger offset is 1940 bytes before nSEH/SEH overwrite in MP3 Workstation 9.2.1.1.2; .pls files with padding of this length are malicious.
  • Overflow trigger offset is 1324 bytes in Euphonics Audio Player 1.0; .pls files with a string of this length followed by a return address are exploit indicators.
  • SEH-based exploitation uses short jump opcode \xeb\x06\x90\x90 as nSEH value; detect this 4-byte sequence at offset 1940 within a .pls file.
  • BadChars for payload construction are null byte, newline, and equals sign (\x00\x0a\x3d); shellcode in malicious .pls files will avoid these bytes.
  • The vulnerable DLL rsaadjd.tmp is used as a p/p/r gadget source in Audiotran exploits; presence of this file alongside Audiotran is a risk indicator.
  • ·The Metasploit module targets Audiotran 1.4.1 with a Windows Universal target using a single hardcoded return address; a separate module exists for Audiotran 1.4.2.4, indicating the offset/ret may differ between minor versions.
  • ·The vulnerability resides in AdjMmsEng.dll versions 7.11.1.0 and 7.11.2.7, distributed across multiple MultiMedia Soft audio components; detection should cover all applications bundling this DLL, not just Audiotran or Euphonics.
  • ·Remote exploitation via browser is theoretically possible if the .pls extension is registered to the vulnerable application, but this vector was not tested in the Metasploit module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.