cbcvebase.
CVE-2009-0885
published 2009-03-12

CVE-2009-0885: Multiple heap-based buffer overflows in Media Commands 1.0 allow remote attackers to execute arbitrary code or cause a denial of service (application crash)…

PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.75%
94.5th percentile
Multiple heap-based buffer overflows in Media Commands 1.0 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long string in a (1) M3U, (2) M3l, (3) TXT, and (4) LRC playlist file.

Affected

1 ranges
VendorProductVersion rangeFixed in
mediacommandsmedia_commands

Detection & IOCsextracted from sources · hover to see the quote

filenamehakxer.m3u
filenamehakxer.txt
filenamehakxer.m3l
filenamehakxer.lrc
filenameexploit.m3u
command\xEB\x06\x90\x90 (next SEH jump over handler)
otherpop pop ret gadget at 0x722FC635 in msacm32.drv
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49
  • Trigger pattern: malicious playlist files (.m3u, .m3l, .txt, .lrc) containing a long string prefixed with 'http://' followed by ~5000 'A' characters cause a heap overflow in Media Commands 1.0
  • SEH-based exploit uses a buffer of exactly 4103 bytes of 'A' padding before overwriting the SEH chain in a .m3u file
  • SEH overwrite exploit targets pop/pop/ret gadget in msacm32.drv at address 0x722FC635; monitor for SEH chain corruption pointing into this module
  • Shellcode stub begins with the encoder stub bytes EB 03 59 EB 05 E8 F8 FF FF FF; scan playlist file content for this byte sequence
  • Both PoC and SEH exploit write crafted payload files named with the pattern 'hakxer.<ext>' or 'exploit.m3u'; alert on creation of unusually large playlist files containing high-entropy or NOP-sled content
  • ·The PoC (exploit-db 8135) is a crash/DoS proof-of-concept only; the shellcode variable is named '$CoDe' but the file write uses '$c0de' (undefined), so the written file contains only the crash string and no shellcode — actual code execution requires the corrected SEH exploit (exploit-db 8137)
  • ·The SEH exploit was tested specifically on Windows XP Pro SP2 French; the pop/pop/ret gadget address (0x722FC635 in msacm32.drv) is OS/patch-level specific and will differ on other builds
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.