cbcvebase.
CVE-2009-2650
published 2009-07-30

CVE-2009-2650: Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 Build 020124 allows remote attackers to cause a denial of service (application crash) or…

PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.69%
98.0th percentile
Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 Build 020124 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .m3u or possibly (2) .pst file.

Affected

1 ranges
VendorProductVersion rangeFixed in
sorcerersoftwaremultimedia_jukebox

Detection & IOCsextracted from sources · hover to see the quote

filenamemetasploit.m3u
filenamemr_mes-wicked_miX.pls
filenamehack4love.m3u
registry0x02951457
registry0x02291457
registry0x1001296f
bytes
\x68\x74\x74\x70\x3a\x2f\x2f
bytes
\xeb\x06\x90\x90
  • The exploit triggers on .m3u or .pls files that begin with a 'http://' header string followed by ~262 bytes of padding before the SEH overwrite. Look for abnormally large .m3u/.pls files with this structure.
  • The .pls exploit requires a [playlist] header with 'File1=http://' to trigger the overflow; monitor for malformed .pls files containing this header followed by large buffers.
  • The SEH overwrite occurs at offset 262 bytes into the payload buffer; a buffer of 262 'A' characters followed by a short JMP and SEH handler address is the exploit pattern.
  • The PoC for MultiMedia Jukebox 4.0 uses a 5000-byte 'A' string written to a .m3u file to trigger the heap overflow; large .m3u files with repetitive byte patterns are suspicious.
  • The Metasploit module targets dsp_mjMain.dll for its pop/pop/ret gadget; monitor for Media Jukebox loading this DLL and executing unusual code paths from it.
  • The universal SEH exploit uses wnaspi32.dll as the pop/pop/ret gadget source; presence of wnaspi32.dll loaded in Media Jukebox process space during file parsing is notable.
  • Bad characters for payload encoding include null bytes and common URL/path delimiters; payloads will avoid these bytes: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x30
  • ·The Metasploit module RET addresses are version- and SP-specific for dsp_mjMain.dll; the XP SP3 address (0x02951457) differs from XP SP2 (0x02291457), so detection based on these addresses is OS-patch-level dependent.
  • ·The .pls exploit uses a 'universal' SEH gadget from wnaspi32.dll (0x1001296f) claimed to work across Windows XP and Vista, but this relies on a fixed base address for wnaspi32.dll (no ASLR).
  • ·The NVD entry references MultiMedia Jukebox 4.0 Build 020124, while the exploit-db modules target Media Jukebox 8.0.400; these are different product versions and the CVE may apply to both or only one.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.