MPlayer Lite Stack-Based Buffer Overflow Vulnerability via Malicious M3U Playlists

A stack-based buffer overflow vulnerability has been identified in MPlayer Lite version r33064. This issue arises from inadequate bounds checking when the player processes M3U playlist files containing lengthy HTTP URLs. An attacker can exploit this vulnerability by crafting a malicious .m3u file with a specially formatted URL that induces a stack overflow. The exploitation is particularly effective when the file is opened through drag-and-drop interaction, allowing for control over the execution flow by overwriting the Structured Exception Handling (SEH) chain. This exploitation bypasses Data Execution Prevention (DEP) by using a Return-Oriented Programming (ROP) chain that exploits known gadgets in loaded DLLs, potentially leading to arbitrary code execution with the current user's privileges.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with the privileges of the user running MPlayer Lite.

Reproduction

To reproduce this vulnerability, create a .m3u file that includes a long HTTP URL. The URL should be formatted to exploit the buffer overflow when the file is opened in MPlayer Lite r33064, specifically by dragging and dropping it onto the player. Once the file is processed, the buffer overflow will occur, leading to the execution of arbitrary code.