CVE-2018-19357

An attacker crafts a `.m3u` playlist file containing an `#EXTINF` directive followed by a long `http://` URL. The URL payload includes shellcode and a return address that overwrites EIP with a `JMP ESP` gadget (0x78196d4d from an OS DLL), redirecting execution to attacker-controlled data on the stack [ref_id=1]. The victim must open the malicious `.m3u` file by dragging it into XMPlay or using the File Menu. No authentication or special privileges are required beyond the victim running XMPlay.

The vulnerability resides in how XMPlay 3.8.3 parses a crafted `http://` URL inside a `.m3u` playlist file. The PoC constructs a malformed URL that overflows a stack buffer when the application processes the playlist entry [ref_id=1]. The exact vulnerable function is not named in the advisory, but the crash occurs during URL parsing of the `http://test.` prefix followed by attacker-controlled data.

No patch has been published by the vendor. The exploit author states the developer was notified and provided a PoC but was "not interested in fixing" the issue [ref_id=1]. Without a patch, the only remediation is to avoid opening untrusted `.m3u` files in XMPlay 3.8.3 or to use an alternative media player that properly validates URL lengths before copying them into fixed-size stack buffers.

Run the PoC script from [ref_id=1] to generate `xmplay.m3u`. Launch XMPlay 3.8.3, then either drag `xmplay.m3u` into the application window or use File Menu → select `xmplay.m3u`. The application will appear to "load" for approximately one minute while the egghunter searches memory, then will launch `calc.exe` as proof of code execution [ref_id=1].