cbcvebase.
CVE-2009-2484
published 2009-07-16

CVE-2009-2484: Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb.c in VideoLAN VLC media player 0.9.9, when running on Microsoft Windows…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.11%
98.2th percentile
Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb.c in VideoLAN VLC media player 0.9.9, when running on Microsoft Windows, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long smb URI in a playlist file.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianvlc
videolanvlc_media_player

Detection & IOCsextracted from sources · hover to see the quote

filenamevlc_smb.xspf
urlhttp://[vulnerable_ip]:8080/requests/status.xml?command=in_play&input=smb://
port8080
other0x6b54543e
other0x65414141
pathmodules/access/smb.c
  • Detect malicious .xspf playlist files containing an oversized smb:// URI — the exploit embeds the payload in the URI formatted as smb://<payload>@<host>/<share>/
  • The exploit targets libvout_directx_plugin.dll with a ROP gadget (add esp,0xcc / pop ebx / pop esi / pop edi / pop ebp / ret); presence of this DLL in VLC process memory combined with smb:// URI processing is a strong indicator
  • Payload space is limited to 1024 bytes and null bytes are bad characters; the smb:// URI structure places the encoded payload in the username field before the @ sign
  • ·The vulnerability is only present in Win32 builds of VLC; Linux/macOS builds are not affected
  • ·Affected versions are 0.9.9 through 1.0.1; the Metasploit target is specifically tuned for VLC 0.9.9 on Windows XP SP3
  • ·The VLC web interface trigger vector requires the web interface to be enabled (disabled by default); the primary attack vector is a crafted .xspf playlist file
  • ·The windows/meterpreter/reverse_ord_tcp payload does not work with this exploit; only windows/exec and windows/meterpreter/reverse_tcp were confirmed functional

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.