cbcvebase.
CVE-2009-3429
published 2009-09-25

CVE-2009-3429: Stack-based buffer overflow in Pirate Radio Destiny Media Player 1.61 allows remote attackers to execute arbitrary code via a long string in a .pls playlist…

PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.05%
98.2th percentile
Stack-based buffer overflow in Pirate Radio Destiny Media Player 1.61 allows remote attackers to execute arbitrary code via a long string in a .pls playlist file.

Affected

1 ranges
VendorProductVersion rangeFixed in
pirateradiodestiny_media_player

Detection & IOCsextracted from sources · hover to see the quote

filenameexp.lst
filenameboom.m3u
filenameexploit.pls
filenameexploit_destiny.m3u
registry0x00bf9d4d (jmp esp Destiny.exe)
bytes
\xD0\x69\x83\x7c (return address, lst exploit)
bytes
\xA6\x7B\x41\x00 (pop pop ret Destiny.exe SEH handler)
bytes
\xEB\x06\x90\x90 (short jump next SEH)
bytes
win32_exec shellcode (lst exploit): \x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b...
bytes
win32_exec shellcode (pls SEH exploit): \x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b...
  • Stack-based buffer overflow triggered by opening a crafted .pls, .m3u, or .lst playlist file in Destiny Media Player 1.61; overflow occurs at offset 2052 bytes for .lst files and ~31185 bytes for .m3u files.
  • For .m3u exploitation, the overflow is triggered at approximately 31185 bytes of input.
  • For .pls SEH-based exploitation, junk padding of 45224 bytes precedes the SEH overwrite.
  • Metasploit module targets Destiny Media Player 1.61 via file format exploit; payload space is 800 bytes with bad chars \x00\x0a\x0d\x3c\x22\x3e\x3d and AlphanumMixed encoder required.
  • Victim must manually open the malicious playlist file via File-->Open Playlist; this is a client-side file-format attack, not a network-delivered exploit.
  • SEH-based .pls exploit uses a pop/pop/ret gadget inside Destiny.exe at 0x00417BA6; monitor for SEH chain overwrites pointing into Destiny.exe image space.
  • Shellcode uses PexFnstenvSub encoder (Metasploit); detect FNSTENV-based shellcode decoder stubs in memory when Destiny Media Player processes playlist files.
  • ·The working .lst exploit was confirmed only on Windows XP SP3; the PoC version did not function correctly according to the author.
  • ·The Metasploit module's 'Destiny Universal' target ret address (0x00bf9d4d) was tested and confirmed by a third party (patrickw) on 2009-05-03; the Windows XP SP2 Spanish target uses a system DLL address (0x7c951eed) which may vary across patch levels.
  • ·The .pls SEH exploit instructs the victim to open the file directly (not via import), unlike the .lst exploit which requires import from within the program.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.