https://www.exploit-db.com/exploits/21670
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-771

Windowsmplay32是一款Windows系统中自带的媒体播放器，可播放Mp3文件。Windowsmplay32在处理长文件名mp3文件时缺少正确检查，本地攻击者可以利用这个漏洞进行远程缓冲区溢出攻击。Windowsmplay32在处理长文件名mp3文件时存在漏洞，本地攻击者可以提供包含超过279字符文件名的mp3文件让mplay32播放，可导致产生缓冲溢出，由于mplay32.exe以用户本身权限执行，所以不能进行权限提升攻击，但如果利用其他如IISWEB的Unicode漏洞，就可以远程利用这个漏洞可能获得一个WEB权限的SHELL。

source: http://www.securityfocus.com/bid/5357/info

The Microsoft Windows Media Player executable is prone to a buffer overflow condition when invoked with an oversized filename.

Since the program is executed in the context of the user invoking it, it is not likely that a local attacker could exploit this issue to gain elevated privileges. However, if the program can be invoked remotely or a user can be somehow enticed into invoking the program with a malformed filename, then this may be exploited by an attacker. Realistically, another exposure or vulnerability would have to exist on the host system for an attacker to exploit this issue.

It is not currently known exactly which versions of the software are affected. 

From the command prompt it is possible to reproduce this issue with this command:

mplay32.exe A<x279>.mp3

On an unpatched IIS server it is possibly to invoke the application with the following request:

http://target/scripts/..%255c..%255cwinnt/system32.exe?/A<x279>.mp3

来源:BID
名称:5357
链接:http://www.securityfocus.com/bid/5357
来源:XF
名称:mediaplayer-mplay32-filename-bo(9727)
链接:http://www.iss.net/security_center/static/9727.php
来源：NSFOCUS
名称：3178
链接：http://www.nsfocus.net/vulndb/3178