cbcvebase.
CVE-2009-2566
published 2009-07-21

CVE-2009-2566: Stack-based buffer overflow in TFM MMPlayer 2.0, and possibly 2.0.0.30, allows remote attackers to execute arbitrary code via a long string in a playlist…

PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.07%
98.0th percentile
Stack-based buffer overflow in TFM MMPlayer 2.0, and possibly 2.0.0.30, allows remote attackers to execute arbitrary code via a long string in a playlist (.m3u) file.

Affected

1 ranges
VendorProductVersion rangeFixed in
tfmmmplayer

Detection & IOCsextracted from sources · hover to see the quote

filenameexploit.m3u
urlhttp://www.tfm.ro/mmplayer/download/mmplayer.zip
bytes
\xEB\xED\x41\x42
bytes
\xB4\x28\x40\x00
bytes
\xE9\x03\xF0\xFF\xFF
  • The exploit triggers via a malformed .m3u or .ppl playlist file containing an overly long string; monitor file-open events for MMPlayer processing .m3u/.ppl files with anomalously large content.
  • The exploit payload is 4088+ bytes prepended with the marker string 'D_Z' before the shellcode; presence of this pattern in a .m3u/.ppl file is a strong indicator of exploitation.
  • SEH overwrite at offset 4088 (minus shellcode length) with a hardcoded SEH handler address 0x004028B4; look for SEH chain corruption in MMPlayer process memory pointing to this address.
  • The exploit uses a PexAlphaNum-encoded win32_exec shellcode (343 bytes) with EXITFUNC=seh; alphanumeric shellcode in a playlist file is anomalous and detectable via content inspection.
  • ·The hardcoded SEH handler address (0x004028B4) is specific to TFM MMPlayer 2.0 on Windows XP Pro SP2 (Fr); this address will differ on other versions or service packs.
  • ·The Metasploit module targets MMPlayer 2.2, while the NVD advisory references versions 2.0 and possibly 2.0.0.30; the exact vulnerable version range should be confirmed before deploying detections scoped to a specific version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.