CVE-2009-1831

Nullsoft Winamp < 5.552 - Remote Code Execution via Crafted MAKI File

Title source: llm

Exploitation Summary

EIP tracks 6 public exploits for CVE-2009-1831. PoCs published by Metasploit, n00b, His0k4, including Metasploit module exploits/windows/fileformat/winamp_maki_bof.

AI-analyzed exploit summary This Metasploit module exploits a stack-based buffer overflow in Winamp 5.55 via a crafted MAKI file, leveraging an insecure memmove operation in gen_ff.dll. It generates a malicious mcvcore.maki file that triggers the vulnerability when parsed by Winamp.

Description

The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Winamp before 5.552 allows remote attackers to execute arbitrary code via a crafted MAKI file, which triggers an incorrect sign extension, an integer overflow, and a stack-based buffer overflow.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/21256

View Code ZIP pw:eip

This Metasploit module exploits a stack-based buffer overflow in Winamp 5.55 via a crafted MAKI file, leveraging an insecure memmove operation in gen_ff.dll. It generates a malicious mcvcore.maki file that triggers the vulnerability when parsed by Winamp.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Winamp 5.55

No auth needed

Prerequisites: Victim must install the crafted MAKI file in the Winamp scripts directory or use a skin containing it

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by n00b · clocalwindows

https://www.exploit-db.com/exploits/8783

View Code ZIP pw:eip

This exploit targets an integer overflow vulnerability in Winamp 5.551's MAKI parsing functionality. It triggers an exception handler overwrite to execute arbitrary shellcode, demonstrated with a calc.exe payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Winamp 5.551

No auth needed

Prerequisites: Victim must open a malicious MAKI file in Winamp 5.551

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by His0k4 · pythonlocalwindows

https://www.exploit-db.com/exploits/8770

View Code ZIP pw:eip

This exploit targets a MAKI script parsing vulnerability in Winamp <= 5.55, leveraging a SEH overwrite to achieve remote code execution. The payload is embedded in a crafted MAKI file, designed to trigger the vulnerability when parsed by Winamp.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Winamp <= 5.55

No auth needed

Prerequisites: Victim must open the malicious MAKI file in Winamp

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Encrypt3d.M!nd · perllocalwindows

https://www.exploit-db.com/exploits/8772

View Code ZIP pw:eip

This exploit targets a universal integer overflow vulnerability in Winamp <= 5.55 via a malicious MAKI script. It crafts a file 'mcvcore.maki' with a header, exploit payload, and shellcode to achieve remote code execution when placed in the Winamp skins directory.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Winamp <= 5.55

No auth needed

Prerequisites: Access to the target system's file system to place the malicious MAKI script in the Winamp skins directory

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by n00b · cdoswindows

https://www.exploit-db.com/exploits/8767

View Code ZIP pw:eip

This exploit triggers an integer overflow in Winamp 5.551 by crafting a malicious MAKI file, leading to a buffer overflow and potential control over exception handlers. The PoC generates a file that, when parsed, overwrites the SEH record.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Winamp 5.551

No auth needed

Prerequisites: Winamp 5.551 installed · Ability to place the malicious MAKI file in the target directory

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Monica Sojeong Hong, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/winamp_maki_bof.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack-based buffer overflow in Winamp 5.55 via a crafted MAKI file, leveraging an insecure memmove operation in gen_ff.dll. It generates a malicious mcvcore.maki file to achieve remote code execution when parsed by the vulnerable software.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Winamp 5.55

No auth needed

Prerequisites: Victim must install the crafted mcvcore.maki file in the Winamp scripts directory or use a skin containing it

MITRE ATT&CK