cbcvebase.
CVE-2013-7409
published 2014-10-30

CVE-2013-7409: Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.94%
99.2th percentile
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

Affected

3 ranges
VendorProductVersion rangeFixed in
allplayerallplayer<= 5.8.1
allplayerallplayer
allplayerallplayer

Detection & IOCsextracted from sources · hover to see the quote

filenameallplayer_unicodeseh.m3u
filenamesploit.m3u
filenameALLPlayer_Poc.m3u
pathC:\Program Files\ALLPlayer\ALLPlayer.exe
registry0x004d0011
registry0x00660011
commandhttp:// prefix + oversized buffer in .m3u playlist entry (offset 301-303 bytes to SEH)
bytes
\x61\x62 (nSEH: POPAD + NOP, v5.6.2/5.7)
bytes
\x61\x50 (nSEH: POPAD + Venetian padding, v5.8.1)
bytes
\x11\x4d (SEH POP POP RET, ALLPlayer.exe v5.6.2)
bytes
\x11\x66 (SEH POP POP RET, ALLPlayer.exe v5.7)
bytes
\x50\x45 (SEH POP POP RET, ALLPlayer.exe v5.8.1)
  • Detect .m3u files containing a URL entry prefixed with 'http://' followed by an abnormally long string (>300 bytes) — this is the consistent exploit delivery pattern across all CVE-2013-7409 PoCs.
  • ALLPlayer.exe is compiled without ASLR, Rebase, SafeSEH, or OS protections — SEH-based exploitation is reliable; monitor for SEH chain overwrites in ALLPlayer.exe process.
  • Flag .m3u files with total buffer size of ~5000 bytes containing unicode-encoded shellcode (alphanumeric uppercase pattern starting with 'PPYAIAIAIAIA...').
  • The exploit triggers an access violation with EIP overwritten to 0x00410041 (unicode-expanded 'A'); monitor ALLPlayer.exe for access violations at addresses matching unicode-expanded ASCII patterns.
  • Metasploit module bad characters for payload encoding include null bytes and high-range bytes; payloads will be AlphanumUnicodeMixed encoded — look for long uppercase alphanumeric strings in .m3u URL entries.
  • The exploit can also be triggered via the 'Open URL' menu in ALLPlayer (not just file open); monitor for ALLPlayer.exe spawning with URL arguments containing long strings.
  • ·SEH gadget addresses (POP POP RET) differ per ALLPlayer version: 0x004d0011 for v5.6.2, 0x00660011 for v5.7, and \x50\x45 for v5.8.1 — detection rules using hardcoded gadget addresses must account for version-specific offsets.
  • ·The Metasploit module description incorrectly references 'ALLPlayer 2.8.1' in one place but the actual target is v5.8.1 on Windows 7 SP1; version strings in module metadata may be unreliable.
  • ·The SEH offset to overwrite is 301 bytes in v5.8.1 exploits but 303 bytes in v5.6.2/5.7 exploits — buffer size thresholds for detection should accommodate both offsets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.