CVE-2009-1830
published 2009-05-29CVE-2009-1830: Stack-based buffer overflow in Soulseek 156 and 157 NS allows remote attackers to execute arbitrary code via a long search query.
PriorityP353critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
8.57%
94.4th percentile
Stack-based buffer overflow in Soulseek 156 and 157 NS allows remote attackers to execute arbitrary code via a long search query.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| slsknet | soulseek | — | — |
| slsknet | soulseek | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00
bytes↗
\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00
- →Detect exploit traffic by matching the distinctive peer search request header bytes on TCP ports 2240/2242 followed by a large (~3084+ byte) payload — indicative of the SEH overwrite buffer overflow. ↗
- →The exploit triggers a remote SEH overwrite; monitor for structured exception handler chain corruption (overwrite of SE handler pointer) in Soulseek processes on Windows. ↗
- →Alert on TCP connections to/from Soulseek server IP 208.76.170.50 on ports 2242 (157 NS branch) or 2240 (156.x branch) carrying oversized search query payloads. ↗
- →The exploit payload begins with the fixed 12-byte header \x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00 for the distributed search message type; use this as a network signature anchor. ↗
- →The SEH overwrite places the p/p/r gadget address 0x00401434 from SoulSeek.exe into the SE handler slot; memory forensics or crash dumps showing EIP/ECX pointing to this address indicate exploitation. ↗
- ·The PoC exploits target a hardcoded victim username ('testt4321' / '123yow123'); real-world attacks would use arbitrary target usernames, so username-based filtering is insufficient. ↗
- ·Port 2242 applies to the 157 NS branch; port 2240 applies to the 156.x branch — detection rules must cover both ports. ↗
- ·The vulnerability affects all Windows versions running Soulseek 156.x or 157 NS prior to 13e; patched version is 157 NS 13e. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution (PoC)
exploitdb·2009-07-09
CVE-2009-1830 Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution (PoC)
Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution (PoC)
---
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
- Release date: July 02, 2009
- Discovered by: Laurent Gaffié ; http://g-laurent.blogspot.com/
- Severity: critical
I. VULNERABILITY
Soulseek 157 NS < 13e & 156.* Remote Peer Search Code Execution
II. BACKGROUND
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people with
the same interests, share information, and chat freely using real-time messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way t
Exploit-DB
Soulseek 157 NS - Remote Buffer Overflow (SEH)
exploitdb·2009-05-26
CVE-2009-1830 Soulseek 157 NS - Remote Buffer Overflow (SEH)
Soulseek 157 NS - Remote Buffer Overflow (SEH)
---
#!/usr/bin/python
#[x] Bug :Soulseek 157 NS Remote Seh Overwrite Exploit
#[x] Credits & poc from : http://www.milw0rm.com/exploits/8777
#[x] Tested on : Windows Xp (sp3), Soulseek 157 NS 12d
#[x] The exploit attacks the user :"test4321"
import struct
import sys, socket
from time import *
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch
request = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00"
request += "testt4321" # username
request += "\x08\x00\x00\x00"
request += "12345678" # password
request += "\xb5\x00\x00\x00\x20\x00\x00\x00"
request += "\x38\x65\x39\x31\x66\x37\x33\x30\x35\x35\x37\x31\x32\x35\x64\x37"
request += "\x34\x39\x32\x34\x62\x64\x66\x35\x6
Exploit-DB
Soulseek 157 NS x/156.x - Remote Distributed Search Code Execution
exploitdb·2009-05-26
CVE-2009-1830 Soulseek 157 NS x/156.x - Remote Distributed Search Code Execution
Soulseek 157 NS x/156.x - Remote Distributed Search Code Execution
---
- Release date: May 24th, 2009
- Discovered by: Laurent Gaffié
- Severity: critical
I. VULNERABILITY
Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution
II. BACKGROUND
"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
sharing application.
One of the things that makes Soulseek(tm) unique is our community and
community-related features.
Based on peer-to-peer technology, virtual rooms allow you to meet people with
the same interests, share information, and chat freely using real-time messages
in public or private.
Soulseek(tm), with its built-in people matching system, is a great way to make
new friends and expand your mind!"
III. DESCRIPTION
Soulseek client allows distributed f
http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0210.htmlhttp://secunia.com/advisories/35186http://www.securityfocus.com/bid/35091http://www.vupen.com/english/advisories/2009/1427https://www.exploit-db.com/exploits/8777https://www.exploit-db.com/exploits/8804http://archives.neohapsis.com/archives/fulldisclosure/2009-05/0210.htmlhttp://secunia.com/advisories/35186http://www.securityfocus.com/bid/35091http://www.vupen.com/english/advisories/2009/1427https://www.exploit-db.com/exploits/8777https://www.exploit-db.com/exploits/8804
2009-05-29
Published