cbcvebase.
CVE-2009-5109
published 2011-12-25

CVE-2009-5109: Stack-based buffer overflow in Mini-Stream Ripper 3.0.1.1 allows remote attackers to execute arbitrary code via a long entry in a .pls file.

PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.82%
98.1th percentile
Stack-based buffer overflow in Mini-Stream Ripper 3.0.1.1 allows remote attackers to execute arbitrary code via a long entry in a .pls file.

Affected

1 ranges
VendorProductVersion rangeFixed in
mini-streamripper

Detection & IOCsextracted from sources · hover to see the quote

filenameastley.pls
filenamemini-stream-ripper.pls
filenamemsf.pls
other0x7e429353
other0x7c941eed
other0x0146b87b
pathC:\Program Files\Mini-stream\Mini-stream Ripper
bytes
\x53\x93\x42\x7e
bytes
\xed\x1e\x94\x7c
bytes
\x53\x93\x42\x7e
  • Detect creation or loading of malicious .pls files with oversized entries (>17400 bytes) targeting Mini-Stream Ripper 3.0.1.1; the overflow offset is 17417 bytes before EIP overwrite.
  • Monitor for JMP ESP gadget use at 0x7e429353 (USER32.dll) or 0x7c941eed (SHELL32.dll) as return addresses in stack-based overflow exploitation of Mini-Stream Ripper on Windows XP SP2/SP3.
  • Detect HTTP responses serving .pls files with Content-Type 'application/pls+xml' from exploit frameworks, which may be used to deliver the malicious payload via the URL load feature of Mini-Stream Ripper.
  • Flag .pls files containing a junk buffer of 17403+ repeated bytes (e.g., 0x44 or 0x41) followed by a 4-byte return address, indicative of exploit construction for CVE-2009-5109.
  • The Metasploit module for this CVE uses a payload bad-character set that can help tune IDS/IPS signatures: null bytes and URL-special characters are excluded from shellcode.
  • Detect use of MSRcodec001.dll return address (0x0146b87b) as a universal JMP ESP gadget in .pls exploit files targeting Mini-Stream Ripper.
  • ·The JMP ESP return addresses differ between Windows XP SP2 (SHELL32.dll: 0x7c941eed) and SP3 (USER32.dll: 0x7e429353); detection rules targeting specific return addresses must account for both variants.
  • ·The Metasploit module uses a StackAdjustment of -3500 and payload space of 3500 bytes; the exploit offset (17417) differs slightly from the standalone PoC (17405), indicating minor variation between exploit implementations.
  • ·The universal exploit variant uses a return address from MSRcodec001.dll (0x0146b87b) and a different junk buffer size (26074 bytes), making it distinct from the XP SP2/SP3-specific exploits.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.