CVE-2009-0182

HIGH

VUPlayer < 2.49 - Buffer Overflow via Long URL in .pls File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2009-0182. PoCs published by SkD, Bryan Leong, nobodyatall648, including Metasploit module exploits/windows/fileformat/vuplayer_cue.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in VUPlayer <= 2.49 via a maliciously crafted .PLS playlist file. It uses a universal JMP ESP address in BASS.DLL and executes a calc.exe payload via shellcode.

Description

Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as demonstrated by an http URL on a File1 line.

Exploits (4)

exploitdb WORKING POC VERIFIED
by SkD · perllocalwindows
https://www.exploit-db.com/exploits/7695

This exploit targets a buffer overflow vulnerability in VUPlayer <= 2.49 via a maliciously crafted .PLS playlist file. It uses a universal JMP ESP address in BASS.DLL and executes a calc.exe payload via shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VUPlayer <= 2.49
No auth needed
Prerequisites: Victim must open the malicious .PLS file in VUPlayer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Bryan Leong · pythonlocalwindows
https://www.exploit-db.com/exploits/50650

This exploit leverages a local buffer overflow in VUPlayer 2.49 via a maliciously crafted .wax playlist file to achieve arbitrary code execution, bypassing DEP using ROP chains targeting non-ASLR modules (BASS.dll, BASSMIDI.dll). The payload includes a calc.exe shellcode generated with msfvenom.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VUPlayer 2.49
No auth needed
Prerequisites: Victim must open the maliciously crafted .wax file in VUPlayer 2.49 · Non-ASLR modules (BASS.dll, BASSMIDI.dll) must be present
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by nobodyatall648 · poc
https://github.com/nobodyatall648/CVE-2009-0182

This repository contains functional exploit code for CVE-2009-0182, demonstrating a local buffer overflow in VUPlayer 2.49 via a crafted .wax playlist file. It includes two PoCs: one for standard exploitation and another with a ROP chain to bypass DEP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VUPlayer 2.49
No auth needed
Prerequisites: VUPlayer 2.49 installed on the target system · Ability to deliver a malicious .wax file to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/vuplayer_cue.rb

This Metasploit module exploits a stack-based buffer overflow in VUPlayer <= 2.49 via a maliciously crafted CUE file. It leverages a hardcoded return address (0x1010539f) to execute arbitrary shellcode, achieving remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VUPlayer <= 2.49
No auth needed
Prerequisites: Victim must open the malicious CUE file in VUPlayer
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7695
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/48170
Exploit, Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/4923
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/165489/VUPlayer-2.49-Buffer-Overflow.html

Scores

CVSS v3 8.8
EPSS 0.4840
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-120
Status published
Products (1)
vuplayer/vuplayer < 2.49
Published Jan 20, 2009
Tracked Since Feb 18, 2026