cbcvebase.
CVE-2009-2485
published 2009-07-16

CVE-2009-2485: Stack-based buffer overflow in HT-MP3Player 1.0 allows remote attackers to execute arbitrary code via a long string in a .ht3 file.

PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
58.10%
99.0th percentile
Stack-based buffer overflow in HT-MP3Player 1.0 allows remote attackers to execute arbitrary code via a long string in a .ht3 file.

Affected

1 ranges
VendorProductVersion rangeFixed in
tinganht-mp3player

Detection & IOCsextracted from sources · hover to see the quote

  • Stack-based SEH buffer overflow triggered by a malicious .ht3 file; overflow occurs at offset 4108 bytes before the SEH record is overwritten.
  • Exploit payload space is 4108 bytes; bad characters include null byte, LF, CR, and bytes 0x80–0xCF, requiring AlphanumMixed encoding — detect alphanumeric-encoded shellcode in .ht3 files.
  • The exploit uses a pop/pop/ret gadget at 0x00406cff inside HTMP3Player.exe to pivot SEH execution; monitor for SEH-based exploitation of this process.
  • Crash/exploitation can be detected by a read from address 0xf0f0f0f0 at offset 4096 within the .ht3 payload buffer.
  • The file type .ht3 is not registered by the HT-MP3Player installer; a user must manually load the file, indicating a social-engineering delivery vector to watch for.
  • Universal exploit prefixes payload buffer with the ASCII string 'D_Z' before shellcode; this marker can be used as a file-content signature for malicious .ht3 files.
  • ·The Metasploit module targets only HT-MP3Player 1.0 on Windows; no other versions or platforms are listed as targets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.