CVE-2009-20004

HIGH

gAlan < 0.2.1 - Stack-based Buffer Overflow via .galan File Parsing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2009-20004. PoCs published by Metasploit, Dz_attacker, Jeremy Brown, including Metasploit module exploits/windows/fileformat/galan_fileformat_bof.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in gAlan 0.2.1 via a crafted .galan file. It leverages a hardcoded return address (0x100175D0) to execute arbitrary payloads on Windows XP.

Description

gAlan 0.2.1, a modular audio processing environment for Windows, is vulnerable to a stack-based buffer overflow when parsing .galan files. The application fails to properly validate the length of input data, allowing a specially crafted file to overwrite the stack and execute arbitrary code. Exploitation requires local interaction, typically by convincing a user to open the malicious file.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16664

This is a Metasploit module exploiting a stack buffer overflow in gAlan 0.2.1 via a crafted .galan file. It leverages a hardcoded return address (0x100175D0) to execute arbitrary payloads on Windows XP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: gAlan 0.2.1
No auth needed
Prerequisites: Victim must open the malicious .galan file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Dz_attacker · pythonlocalwindows
https://www.exploit-db.com/exploits/10345

This is a functional buffer overflow exploit targeting the gAlan software via a crafted .galan file. It leverages a known vulnerability (EIP-2026-140198) to execute arbitrary shellcode, specifically launching calc.exe via a Metasploit-generated payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: gAlan (version not specified)
No auth needed
Prerequisites: Victim must open the malicious .galan file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Jeremy Brown · perllocalwindows
https://www.exploit-db.com/exploits/10339

This exploit targets a buffer overflow vulnerability in gAlan (a modular audio processing tool) by overwriting the EIP with a JMP ESP address from user32.dll and executing a shell_bind_tcp payload. The payload is written to a file named 'bof.galan' to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: gAlan (version not specified)
No auth needed
Prerequisites: Vulnerable version of gAlan installed · Ability to deliver the malicious file to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/galan_fileformat_bof.rb

This Metasploit module exploits a stack buffer overflow in gAlan 0.2.1 by crafting a malicious .galan file. It triggers a buffer overflow via a long string followed by a return address and shellcode to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: gAlan 0.2.1
No auth needed
Prerequisites: Victim must open the malicious .galan file in gAlan 0.2.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v4 8.4
EPSS 0.0032
EPSS Percentile 23.7%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-121
Status published
Products (1)
gAlan/gAlan < 0.2.1
Published Aug 21, 2025
Tracked Since Feb 18, 2026