cbcvebase.
CVE-2009-4656
published 2010-03-03

CVE-2009-4656: Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2 including 4.2.2.7.5, and 5.x including 5.1.4.3.1, allows user-assisted remote attackers to cause a…

PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.72%
98.1th percentile
Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2 including 4.2.2.7.5, and 5.x including 5.1.4.3.1, allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a playlist file (.pls) containing a long string. NOTE: some of these details are obtained from third party information.

Affected

4 ranges
VendorProductVersion rangeFixed in
e-soft.codj_studio_pro
e-soft.codj_studio_pro
e-soft.codj_studio_pro
e-soft.codj_studio_pro

Detection & IOCsextracted from sources · hover to see the quote

filenameboom.pls
filenamecrash.pls
filenamemsf.pls
otherpop-pop-ret gadget @ 0x014FC62D [djstudiopro.exe]
processDJStudioPro.exe
bytes
\xeb\x06\x90\x90\x2d\xc6\x4f\x01
bytes
\xda\xdc\xd9\x74\x24\xf4\x5d\x55\x59\x49\x49\x49\x49\x49
  • Malicious .pls file triggers SEH-based stack buffer overflow; look for .pls files with a padding block of 1308 bytes followed by a short JMP (\xeb\x06\x90\x90) and SEH overwrite at offset 1308+4.
  • SEH overwrite targets pop-pop-ret gadget at fixed address 0x014FC62D inside djstudiopro.exe; presence of this address in a .pls file is a strong exploit indicator.
  • Payload bad characters are \x00, \x0a, and \x3d (null, newline, equals sign); encoded shellcode in a .pls file will avoid these bytes.
  • Simpler crash PoC writes 350,000 'A' characters into a .pls file; any .pls file exceeding normal playlist size bounds warrants inspection.
  • ·The fixed ROP/SEH gadget address (0x014FC62D) is specific to DJStudioPro.exe version 5.1.6.5.2 on Windows XP SP2 EN; the exploit will not work reliably against other versions or OS configurations without a new gadget address.
  • ·Remote exploitation via browser requires the .pls file extension to be registered to DJ Studio Pro; this vector was not tested in the Metasploit module.
  • ·The Metasploit module uses a stack adjustment of -3500 bytes to accommodate the payload space of 5000 bytes; payloads exceeding this space or requiring different adjustments will need reconfiguration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.