cbcvebase.
CVE-2009-1830
published 2009-05-29

CVE-2009-1830: Stack-based buffer overflow in Soulseek 156 and 157 NS allows remote attackers to execute arbitrary code via a long search query.

PriorityP353critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
8.57%
94.4th percentile
Stack-based buffer overflow in Soulseek 156 and 157 NS allows remote attackers to execute arbitrary code via a long search query.

Affected

2 ranges
VendorProductVersion rangeFixed in
slsknetsoulseek
slsknetsoulseek

Detection & IOCsextracted from sources · hover to see the quote

ip208.76.170.50
port2242
port2240
registrySoulSeek.exe base address 0x00401434 (p/p/r gadget)
bytes
\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00
bytes
\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00
  • Detect exploit traffic by matching the distinctive peer search request header bytes on TCP ports 2240/2242 followed by a large (~3084+ byte) payload — indicative of the SEH overwrite buffer overflow.
  • The exploit triggers a remote SEH overwrite; monitor for structured exception handler chain corruption (overwrite of SE handler pointer) in Soulseek processes on Windows.
  • Alert on TCP connections to/from Soulseek server IP 208.76.170.50 on ports 2242 (157 NS branch) or 2240 (156.x branch) carrying oversized search query payloads.
  • The exploit payload begins with the fixed 12-byte header \x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00 for the distributed search message type; use this as a network signature anchor.
  • The SEH overwrite places the p/p/r gadget address 0x00401434 from SoulSeek.exe into the SE handler slot; memory forensics or crash dumps showing EIP/ECX pointing to this address indicate exploitation.
  • ·The PoC exploits target a hardcoded victim username ('testt4321' / '123yow123'); real-world attacks would use arbitrary target usernames, so username-based filtering is insufficient.
  • ·Port 2242 applies to the 157 NS branch; port 2240 applies to the 156.x branch — detection rules must cover both ports.
  • ·The vulnerability affects all Windows versions running Soulseek 156.x or 157 NS prior to 13e; patched version is 157 NS 13e.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.