CVE-2009-1641
published 2009-05-15CVE-2009-1641: Multiple stack-based buffer overflows in Mini-stream Ripper 3.0.1.1 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and…
PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.92%
98.0th percentile
Multiple stack-based buffer overflows in Mini-stream Ripper 3.0.1.1 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mini-stream | ripper | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Buffer overflow in .asx file triggered by an oversized HREF attribute in a REF element; look for REF HREF values exceeding ~26110 bytes in .asx files. ↗
- →Buffer overflow in .ram file triggered by an oversized rtsp:// URL; look for rtsp:// URLs exceeding ~26117 bytes in .ram files. ↗
- →Exploit uses a NOP sled of 16 bytes (\x90 x 16) followed by PexFnstenvSub-encoded win32_exec shellcode (160 bytes, CMD=calc) in both .asx and .ram payloads; scan file content for this NOP+shellcode pattern. ↗
- →Return address \x5D\x38\x82\x7C points into Kernel32.dll on Windows XP SP2; presence of this 4-byte sequence after a large padding block in .asx/.ram files is a strong exploit indicator. ↗
- →Exploit payload structure in .ram file: 'rtsp://' followed by ~26117 'G' characters, then the return address, NOP sled, and shellcode — detect abnormally long rtsp:// strings in .ram files. ↗
- →Vulnerable application is Mini-stream Ripper version 3.0.1.1; also affects Shadow Stream Recorder 3.0.1.7 via the same .asx file vector. ↗
- ·Exploits were tested specifically on Windows XP SP2; the hardcoded return address (\x5D\x38\x82\x7C in Kernel32.dll) is OS/patch-level specific and will not work reliably on other Windows versions. ↗
- ·The .asx exploit file may need to be placed at the root of a drive/partition to function correctly. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mini-stream Ripper 3.0.1.1 - '.asx' 'HREF' Local Buffer Overflow
exploitdb·2009-05-07
CVE-2009-1641 Mini-stream Ripper 3.0.1.1 - '.asx' 'HREF' Local Buffer Overflow
Mini-stream Ripper 3.0.1.1 - '.asx' 'HREF' Local Buffer Overflow
---
#!/usr/bin/perl
=gnk
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ / ___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
____ _ _ _ _ ___ _ __
/ ___| | || | | \ | | / _ \ | |/ /
| | _ | || |_ | \| | | | | | | ' /
| |_| | |__ _| | |\ | | |_| | | . \
\____| |_| |_| \_| \___/ |_|\_\...From Iran
Mini-stream Ripper 3.0.1.1 .ASX File (HREF) Local Buffer Overflow Exploit
[»] Script:.............[ Mini-stream Ripper 3.0.1.1 ]..................
[»] Website:............[ http://mini-stream.net/ ].....................
[»] Today:..............[ 07052009 ]....................................
[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
[x] test
Exploit-DB
Mini-stream Ripper 3.0.1.1 - '.RAM' Local Buffer Overflow
exploitdb·2009-05-07
CVE-2009-1641 Mini-stream Ripper 3.0.1.1 - '.RAM' Local Buffer Overflow
Mini-stream Ripper 3.0.1.1 - '.RAM' Local Buffer Overflow
---
#!/usr/bin/perl
=gnk
_ _ _ _ _ _
/ \ | | | | / \ | | | |
/ _ \ | | | | / _ \ | |_| |
/ ___ \ | |___ | |___ / ___ \ | _ |
IN THE NAME OF /_/ \_\ |_____| |_____| /_/ \_\ |_| |_|
____ _ _ _ _ ___ _ __
/ ___| | || | | \ | | / _ \ | |/ /
| | _ | || |_ | \| | | | | | | ' /
| |_| | |__ _| | |\ | | |_| | | . \
\____| |_| |_| \_| \___/ |_|\_\...From Iran
Mini-stream Ripper 3.0.1.1 (.RAM) Local Buffer Overflow Exploit
[»] Script:.............[ Mini-stream Ripper 3.0.1.1 ]..................
[»] Website:............[ http://mini-stream.net/ ].....................
[»] Today:..............[ 07052009 ]....................................
[»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
[x] tested on "Windows XP
Metasploit
Shadow Stream Recorder 3.0.1.7 Buffer Overflow
metasploit
Shadow Stream Recorder 3.0.1.7 Buffer Overflow
Shadow Stream Recorder 3.0.1.7 Buffer Overflow
This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7. Using the application to open a specially crafted asx file, a buffer overflow may occur to allow arbitrary code execution under the context of the user.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/34860http://www.securityfocus.com/bid/34864https://exchange.xforce.ibmcloud.com/vulnerabilities/50375https://www.exploit-db.com/exploits/8631https://www.exploit-db.com/exploits/8632http://www.securityfocus.com/bid/34860http://www.securityfocus.com/bid/34864https://exchange.xforce.ibmcloud.com/vulnerabilities/50375https://www.exploit-db.com/exploits/8631https://www.exploit-db.com/exploits/8632
2009-05-15
Published