cbcvebase.
CVE-2009-1831
published 2009-05-29

CVE-2009-1831: The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Winamp before 5.552 allows remote attackers to execute arbitrary code via a crafted MAKI…

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.34%
98.3th percentile
The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Winamp before 5.552 allows remote attackers to execute arbitrary code via a crafted MAKI file, which triggers an incorrect sign extension, an integer overflow, and a stack-based buffer overflow.

Affected

74 ranges· showing 25
VendorProductVersion rangeFixed in
nullsoftwinamp<= 5.55
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp
nullsoftwinamp

Detection & IOCsextracted from sources · hover to see the quote

filenamemcvcore.maki
filenamegen_ff.dll
path..//Winamp/Skins/Bento/Scripts/mcvcore.maki
otherRET 0x12f02bc3 (ppr from in_mod.dll)
otherOffset 16756
bytes
46 47 03 04 17 00 00 00 2A 00 00 00 71 49 65 51 87 0D 51 4A 91 E3 A6 B5 32 35 F3 E7
  • Detect crafted MAKI files with the magic header bytes 46 47 03 04 placed in the Winamp Bento skin scripts directory as mcvcore.maki; this is the consistent delivery mechanism across all public exploits.
  • The overflow trigger is a sequence of 0xFF bytes (11 bytes: FF FF FF FF FF FF FF FF FF FF FF) immediately following the MAKI header; monitor file writes containing this pattern in MAKI files.
  • The exploit overwrites SEH (Structured Exception Handler) records on the stack; look for SEH chain corruption patterns (short JMP + NOP sled: EB 06 90 90) in stack memory during Winamp MAKI parsing.
  • The Metasploit module targets winamp.exe 5.5.5.2405 with a return address of 0x12f02bc3 (pop/pop/ret gadget from in_mod.dll) at stack offset 16756; use this as a signature for exploit attempts against this specific version.
  • The crafted MAKI file structure includes a type GUID 71 49 65 51 87 0D 51 4A 91 E3 A6 B5 32 35 F3 E7 in the header; this GUID is consistent across all exploit samples and can be used as a file-based detection signature.
  • ·The exploit requires the victim to manually place mcvcore.maki into the Bento skin scripts directory, or be convinced to install a malicious skin; it is not a drive-by or network-reachable vector without user interaction.
  • ·Winamp 5.552 and later are not vulnerable; the fix changed movsx (sign-extending) to movzx (zero-extending) for the string size field in gen_ff.dll, preventing the integer overflow.
  • ·The Metasploit module's hardcoded RET address (0x12f02bc3 from in_mod.dll) is specific to Winamp 5.5.5.2405 on Windows XP SP3 / Windows 7 SP1; other versions or patch levels will require different offsets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.