bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/17019.txt
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

200 lines
No EOL
8.6 KiB
Text
Raw Blame History

#######################################################################
Luigi Auriemma
Application: RealPlayer
http://www.real.com
Versions: <= 14.0.1.633
Platforms: Windows, Macintosh OSX, Linux, Symbian, Palm
Bug: heap overflow
Exploitation: remote
Date: 21 Mar 2011 (found 17 Feb 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
RealPlayer is an ugly media player developed by RealNetwork and used
mainly for its browser's plugin supporting the proprietary file formats
of its developer.
#######################################################################
======
2) Bug
======
Classical heap overflow during the handling of the IVR files caused by
the allocation of a certain amount of data (frame size) decided by the
attacker and the copying of another arbitrary amount on the same
buffer.
From rvrender.dll (base address 63AE0000):
63AF5C70 /$ 55 PUSH EBP
63AF5C71 |. 8BEC MOV EBP,ESP
63AF5C73 |. 83EC 20 SUB ESP,20
63AF5C76 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
63AF5C79 |. 56 PUSH ESI
63AF5C7A |. 57 PUSH EDI
63AF5C7B |. 8B7A 04 MOV EDI,DWORD PTR DS:[EDX+4]
63AF5C7E |. 8A07 MOV AL,BYTE PTR DS:[EDI] ; byte at offset 0x7800 of the PoC
63AF5C80 |. 24 E0 AND AL,0E0
63AF5C82 |. 33F6 XOR ESI,ESI
63AF5C84 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
63AF5C87 |. 3C E0 CMP AL,0E0 ; (byte & 0xe0) == 0xe0
63AF5C89 |. 0F85 46010000 JNZ rvrender.63AF5DD5
63AF5C8F |. 8B0A MOV ECX,DWORD PTR DS:[EDX] ; 32bit value at offset 0x77f8 (allocation)
63AF5C91 |. 47 INC EDI
63AF5C92 |. 83E9 01 SUB ECX,1
63AF5C95 |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
63AF5C98 |. 8975 E8 MOV DWORD PTR SS:[EBP-18],ESI
63AF5C9B |. C745 EC 01000000 MOV DWORD PTR SS:[EBP-14],1
63AF5CA2 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
63AF5CA5 |. 0F84 38010000 JE rvrender.63AF5DE3
63AF5CAB |. 53 PUSH EBX
63AF5CAC |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
63AF5CB0 |> 57 /PUSH EDI
63AF5CB1 |. 8D4D FC |LEA ECX,DWORD PTR SS:[EBP-4]
63AF5CB4 |. 51 |PUSH ECX
63AF5CB5 |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18]
63AF5CB8 |. 52 |PUSH EDX
63AF5CB9 |. E8 92010000 |CALL rvrender.63AF5E50
63AF5CBE |. 03F8 |ADD EDI,EAX
63AF5CC0 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
63AF5CC3 |. 66:0FB607 |MOVZX AX,BYTE PTR DS:[EDI]
63AF5CC7 |. 0FB7C8 |MOVZX ECX,AX
63AF5CCA |. 83C4 0C |ADD ESP,0C
63AF5CCD |. 84C9 |TEST CL,CL
63AF5CCF |. 79 0D |JNS SHORT rvrender.63AF5CDE
63AF5CD1 |. 83E1 7F |AND ECX,7F
63AF5CD4 |. 894D F4 |MOV DWORD PTR SS:[EBP-C],ECX
63AF5CD7 |. B8 01000000 |MOV EAX,1
63AF5CDC |. EB 1E |JMP SHORT rvrender.63AF5CFC
63AF5CDE |> 66:0FB64F 01 |MOVZX CX,BYTE PTR DS:[EDI+1]
63AF5CE3 |. C1E0 08 |SHL EAX,8
63AF5CE6 |. 66:0BC8 |OR CX,AX
63AF5CE9 |. BA FF7F0000 |MOV EDX,7FFF
63AF5CEE |. 66:23CA |AND CX,DX
63AF5CF1 |. 0FB7C1 |MOVZX EAX,CX ; 16bit at offset 0x7805
63AF5CF4 |. 8945 F4 |MOV DWORD PTR SS:[EBP-C],EAX
63AF5CF7 |. B8 02000000 |MOV EAX,2
63AF5CFC |> 0FB7D8 |MOVZX EBX,AX
63AF5CFF |. 6A 18 |PUSH 18
63AF5D01 |. 03FB |ADD EDI,EBX
63AF5D03 |. E8 FC120000 |CALL <JMP.&MSVCR90.operator new>
63AF5D08 |. 8BF0 |MOV ESI,EAX
63AF5D0A |. 83C4 04 |ADD ESP,4
63AF5D0D |. 85F6 |TEST ESI,ESI
63AF5D0F |. 74 7F |JE SHORT rvrender.63AF5D90
63AF5D11 |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
63AF5D14 |. 51 |PUSH ECX
63AF5D15 |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8]
63AF5D18 |. E8 D3F2FFFF |CALL rvrender.63AF4FF0
63AF5D1D |. 85C0 |TEST EAX,EAX
63AF5D1F |. 75 0B |JNZ SHORT rvrender.63AF5D2C
63AF5D21 |. 56 |PUSH ESI
63AF5D22 |. E8 E3120000 |CALL <JMP.&MSVCR90.operator delete>
63AF5D27 |. 83C4 04 |ADD ESP,4
63AF5D2A |. 33F6 |XOR ESI,ESI
63AF5D2C |> 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
63AF5D2F |. 8B0A |MOV ECX,DWORD PTR DS:[EDX]
63AF5D31 |. 8B01 |MOV EAX,DWORD PTR DS:[ECX]
63AF5D33 |. 8B40 0C |MOV EAX,DWORD PTR DS:[EAX+C]
63AF5D36 |. 8D55 E0 |LEA EDX,DWORD PTR SS:[EBP-20]
63AF5D39 |. 52 |PUSH EDX
63AF5D3A |. FFD0 |CALL EAX
63AF5D3C |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX
63AF5D3F |. 85C0 |TEST EAX,EAX
63AF5D41 |. 74 4D |JE SHORT rvrender.63AF5D90
63AF5D43 |. 8B4D 08 |MOV ECX,DWORD PTR SS:[EBP+8]
63AF5D46 |. 66:8B51 0C |MOV DX,WORD PTR DS:[ECX+C]
63AF5D4A |. 66:8956 0C |MOV WORD PTR DS:[ESI+C],DX
63AF5D4E |. 0FB755 F4 |MOVZX EDX,WORD PTR SS:[EBP-C]
63AF5D52 |. 0351 08 |ADD EDX,DWORD PTR DS:[ECX+8]
63AF5D55 |. 837D EC 00 |CMP DWORD PTR SS:[EBP-14],0
63AF5D59 |. 8956 08 |MOV DWORD PTR DS:[ESI+8],EDX
63AF5D5C |. 0FB749 0E |MOVZX ECX,WORD PTR DS:[ECX+E]
63AF5D60 |. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX
63AF5D64 |. 75 0A |JNZ SHORT rvrender.63AF5D70
63AF5D66 |. 81E1 FDFF0000 |AND ECX,0FFFD
63AF5D6C |. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX
63AF5D70 |> C746 14 00000000 |MOV DWORD PTR DS:[ESI+14],0
63AF5D77 |. C706 00000000 |MOV DWORD PTR DS:[ESI],0
63AF5D7D |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
63AF5D80 |. 51 |PUSH ECX ; 32bit at offset 0x7801
63AF5D81 |. 57 |PUSH EDI ; our data
63AF5D82 |. 50 |PUSH EAX ; heap buffer having the size got at 63AF5C8F
63AF5D83 |. E8 F8160000 |CALL <JMP.&MSVCR90.memcpy> ; memcpy
63AF5D88 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
63AF5D8B |. 83C4 0C |ADD ESP,0C
63AF5D8E |. 8916 |MOV DWORD PTR DS:[ESI],EDX
63AF5D90 |> 8B4D E4 |MOV ECX,DWORD PTR SS:[EBP-1C]
63AF5D93 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
63AF5D96 |. 8D140B |LEA EDX,DWORD PTR DS:[EBX+ECX]
63AF5D99 |. 8B5D F0 |MOV EBX,DWORD PTR SS:[EBP-10]
63AF5D9C |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8]
63AF5D9F |. 03D0 |ADD EDX,EAX
63AF5DA1 |. 2BDA |SUB EBX,EDX
63AF5DA3 |. 56 |PUSH ESI
63AF5DA4 |. 03F8 |ADD EDI,EAX
63AF5DA6 |. 895D F0 |MOV DWORD PTR SS:[EBP-10],EBX
63AF5DA9 |. E8 D2FCFFFF |CALL rvrender.63AF5A80
63AF5DAE |. 56 |PUSH ESI
63AF5DAF |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
63AF5DB2 |. E8 53120000 |CALL <JMP.&MSVCR90.operator delete>
63AF5DB7 |. 83C4 04 |ADD ESP,4
63AF5DBA |. C745 EC 00000000 |MOV DWORD PTR SS:[EBP-14],0
63AF5DC1 |. 85DB |TEST EBX,EBX
63AF5DC3 |.^0F85 E7FEFFFF \JNZ rvrender.63AF5CB0
63AF5DC9 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
63AF5DCC |. 5B POP EBX
63AF5DCD |. 5F POP EDI
63AF5DCE |. 5E POP ESI
63AF5DCF |. 8BE5 MOV ESP,EBP
63AF5DD1 |. 5D POP EBP
63AF5DD2 |. C2 0400 RETN 4
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/real_5.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17019.zip
the amount of data to copy is the 32bit big endian value located at
offset 0x7801 of real_5.ivr.
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink