cbcvebase.
CVE-2009-1641
published 2009-05-15

CVE-2009-1641: Multiple stack-based buffer overflows in Mini-stream Ripper 3.0.1.1 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and…

PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.92%
98.0th percentile
Multiple stack-based buffer overflows in Mini-stream Ripper 3.0.1.1 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file.

Affected

1 ranges
VendorProductVersion rangeFixed in
mini-streamripper

Detection & IOCsextracted from sources · hover to see the quote

filenamegnk.asx
filenamegnk.ram
commandrtsp://GGGGG...(26117 bytes)
  • Buffer overflow in .asx file triggered by an oversized HREF attribute in a REF element; look for REF HREF values exceeding ~26110 bytes in .asx files.
  • Buffer overflow in .ram file triggered by an oversized rtsp:// URL; look for rtsp:// URLs exceeding ~26117 bytes in .ram files.
  • Exploit uses a NOP sled of 16 bytes (\x90 x 16) followed by PexFnstenvSub-encoded win32_exec shellcode (160 bytes, CMD=calc) in both .asx and .ram payloads; scan file content for this NOP+shellcode pattern.
  • Return address \x5D\x38\x82\x7C points into Kernel32.dll on Windows XP SP2; presence of this 4-byte sequence after a large padding block in .asx/.ram files is a strong exploit indicator.
  • Exploit payload structure in .ram file: 'rtsp://' followed by ~26117 'G' characters, then the return address, NOP sled, and shellcode — detect abnormally long rtsp:// strings in .ram files.
  • Vulnerable application is Mini-stream Ripper version 3.0.1.1; also affects Shadow Stream Recorder 3.0.1.7 via the same .asx file vector.
  • ·Exploits were tested specifically on Windows XP SP2; the hardcoded return address (\x5D\x38\x82\x7C in Kernel32.dll) is OS/patch-level specific and will not work reliably on other Windows versions.
  • ·The .asx exploit file may need to be placed at the root of a drive/partition to function correctly.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.