cbcvebase.
CVE-2017-17932
published 2017-12-28

CVE-2017-17932: A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
53.32%
98.9th percentile
A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 888.

Affected

2 ranges
VendorProductVersion rangeFixed in
allmediaserverallmediaserver<= 0.95
allmediaserverallmediaserver

Detection & IOCsextracted from sources · hover to see the quote

port888
processMediaServer.exe
bytes
\xff\xff\xff\xff (NSEH record) followed by stack pivot at 0x0042b356
bytes
\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b (meterpreter reverse_tcp shellcode)
  • Detect exploitation attempts by monitoring for abnormally long TCP payloads (≥3000 bytes) sent to TCP port 888, targeting the ALLMediaServer MediaServer.exe process.
  • The SEH-based exploit uses a fixed stack-pivot return address (0x0042b356: ADD ESP,800 # POP EBX # RETN) in MediaServer.exe; presence of this address in network traffic to port 888 is a strong exploit indicator.
  • The SEH overwrite offset is 1072 bytes; network payloads to port 888 with exactly this structure (padding + SEH record at offset 1072) indicate active exploitation.
  • The Metasploit module uses RET address 0x00408315 (POP # POP # POP # RET from MediaServer.exe) as the SEH handler overwrite value; scan for this value in payloads to port 888.
  • Monitor for new outbound TCP connections from MediaServer.exe to unexpected hosts/ports (e.g., port 4444) following inbound connections on port 888, indicating successful meterpreter reverse_tcp shell establishment.
  • The vulnerability is triggered via a boundary error in HTTP request handling within MediaServer.exe; inspect HTTP traffic on port 888 for oversized request strings.
  • ·The ROP chain and stack-pivot reliability differ between virtual (VMware, VirtualBox) and physical environments on Windows 7; DEP bypass via ROP is not used in the Metasploit module's Windows 7 SP1 target because AllMediaServer won't run with DEP by default (OptIn).
  • ·The CVE affects ALLMediaServer 0.95 and earlier; a related issue (CVE-2022-28381) affects ALLMediaServer 1.6 via the same TCP port 888 attack vector, so detection rules should not be version-gated.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.