首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
RealPlayer <= 14.0.1.633 Heap Overflow Vulnerability
来源:aluigi.org 作者:Luigi 发布时间:2011-03-22  

#######################################################################

                             Luigi Auriemma

Application:  RealPlayer
              http://www.real.com
Versions:     <= 14.0.1.633
Platforms:    Windows, Macintosh OSX, Linux, Symbian, Palm
Bug:          heap overflow
Exploitation: remote
Date:         21 Mar 2011 (found 17 Feb 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


RealPlayer is an ugly media player developed by RealNetwork and used
mainly for its browser's plugin supporting the proprietary file formats
of its developer.


#######################################################################

======
2) Bug
======


Classical heap overflow during the handling of the IVR files caused by
the allocation of a certain amount of data (frame size) decided by the
attacker and the copying of another arbitrary amount on the same
buffer.
From rvrender.dll (base address 63AE0000):

  63AF5C70  /$ 55                 PUSH EBP
  63AF5C71  |. 8BEC               MOV EBP,ESP
  63AF5C73  |. 83EC 20            SUB ESP,20
  63AF5C76  |. 8B55 08            MOV EDX,DWORD PTR SS:[EBP+8]
  63AF5C79  |. 56                 PUSH ESI
  63AF5C7A  |. 57                 PUSH EDI
  63AF5C7B  |. 8B7A 04            MOV EDI,DWORD PTR DS:[EDX+4]
  63AF5C7E  |. 8A07               MOV AL,BYTE PTR DS:[EDI]      ; byte at offset 0x7800 of the PoC
  63AF5C80  |. 24 E0              AND AL,0E0
  63AF5C82  |. 33F6               XOR ESI,ESI
  63AF5C84  |. 894D F8            MOV DWORD PTR SS:[EBP-8],ECX
  63AF5C87  |. 3C E0              CMP AL,0E0                    ; (byte & 0xe0) == 0xe0
  63AF5C89  |. 0F85 46010000      JNZ rvrender.63AF5DD5
  63AF5C8F  |. 8B0A               MOV ECX,DWORD PTR DS:[EDX]    ; 32bit value at offset 0x77f8 (allocation)
  63AF5C91  |. 47                 INC EDI
  63AF5C92  |. 83E9 01            SUB ECX,1
  63AF5C95  |. 8975 FC            MOV DWORD PTR SS:[EBP-4],ESI
  63AF5C98  |. 8975 E8            MOV DWORD PTR SS:[EBP-18],ESI
  63AF5C9B  |. C745 EC 01000000   MOV DWORD PTR SS:[EBP-14],1
  63AF5CA2  |. 894D F0            MOV DWORD PTR SS:[EBP-10],ECX
  63AF5CA5  |. 0F84 38010000      JE rvrender.63AF5DE3
  63AF5CAB  |. 53                 PUSH EBX
  63AF5CAC  |. 8D6424 00          LEA ESP,DWORD PTR SS:[ESP]
  63AF5CB0  |> 57                 /PUSH EDI
  63AF5CB1  |. 8D4D FC            |LEA ECX,DWORD PTR SS:[EBP-4]
  63AF5CB4  |. 51                 |PUSH ECX
  63AF5CB5  |. 8D55 E8            |LEA EDX,DWORD PTR SS:[EBP-18]
  63AF5CB8  |. 52                 |PUSH EDX
  63AF5CB9  |. E8 92010000        |CALL rvrender.63AF5E50
  63AF5CBE  |. 03F8               |ADD EDI,EAX
  63AF5CC0  |. 8945 E4            |MOV DWORD PTR SS:[EBP-1C],EAX
  63AF5CC3  |. 66:0FB607          |MOVZX AX,BYTE PTR DS:[EDI]
  63AF5CC7  |. 0FB7C8             |MOVZX ECX,AX
  63AF5CCA  |. 83C4 0C            |ADD ESP,0C
  63AF5CCD  |. 84C9               |TEST CL,CL
  63AF5CCF  |. 79 0D              |JNS SHORT rvrender.63AF5CDE
  63AF5CD1  |. 83E1 7F            |AND ECX,7F
  63AF5CD4  |. 894D F4            |MOV DWORD PTR SS:[EBP-C],ECX
  63AF5CD7  |. B8 01000000        |MOV EAX,1
  63AF5CDC  |. EB 1E              |JMP SHORT rvrender.63AF5CFC
  63AF5CDE  |> 66:0FB64F 01       |MOVZX CX,BYTE PTR DS:[EDI+1]
  63AF5CE3  |. C1E0 08            |SHL EAX,8
  63AF5CE6  |. 66:0BC8            |OR CX,AX
  63AF5CE9  |. BA FF7F0000        |MOV EDX,7FFF
  63AF5CEE  |. 66:23CA            |AND CX,DX
  63AF5CF1  |. 0FB7C1             |MOVZX EAX,CX                 ; 16bit at offset 0x7805
  63AF5CF4  |. 8945 F4            |MOV DWORD PTR SS:[EBP-C],EAX
  63AF5CF7  |. B8 02000000        |MOV EAX,2
  63AF5CFC  |> 0FB7D8             |MOVZX EBX,AX
  63AF5CFF  |. 6A 18              |PUSH 18
  63AF5D01  |. 03FB               |ADD EDI,EBX
  63AF5D03  |. E8 FC120000        |CALL <JMP.&MSVCR90.operator new>
  63AF5D08  |. 8BF0               |MOV ESI,EAX
  63AF5D0A  |. 83C4 04            |ADD ESP,4
  63AF5D0D  |. 85F6               |TEST ESI,ESI
  63AF5D0F  |. 74 7F              |JE SHORT rvrender.63AF5D90
  63AF5D11  |. 8B4D FC            |MOV ECX,DWORD PTR SS:[EBP-4]
  63AF5D14  |. 51                 |PUSH ECX
  63AF5D15  |. 8B4D F8            |MOV ECX,DWORD PTR SS:[EBP-8]
  63AF5D18  |. E8 D3F2FFFF        |CALL rvrender.63AF4FF0
  63AF5D1D  |. 85C0               |TEST EAX,EAX
  63AF5D1F  |. 75 0B              |JNZ SHORT rvrender.63AF5D2C
  63AF5D21  |. 56                 |PUSH ESI
  63AF5D22  |. E8 E3120000        |CALL <JMP.&MSVCR90.operator delete>
  63AF5D27  |. 83C4 04            |ADD ESP,4
  63AF5D2A  |. 33F6               |XOR ESI,ESI
  63AF5D2C  |> 8B55 F8            |MOV EDX,DWORD PTR SS:[EBP-8]
  63AF5D2F  |. 8B0A               |MOV ECX,DWORD PTR DS:[EDX]
  63AF5D31  |. 8B01               |MOV EAX,DWORD PTR DS:[ECX]
  63AF5D33  |. 8B40 0C            |MOV EAX,DWORD PTR DS:[EAX+C]
  63AF5D36  |. 8D55 E0            |LEA EDX,DWORD PTR SS:[EBP-20]
  63AF5D39  |. 52                 |PUSH EDX
  63AF5D3A  |. FFD0               |CALL EAX
  63AF5D3C  |. 8946 04            |MOV DWORD PTR DS:[ESI+4],EAX
  63AF5D3F  |. 85C0               |TEST EAX,EAX
  63AF5D41  |. 74 4D              |JE SHORT rvrender.63AF5D90
  63AF5D43  |. 8B4D 08            |MOV ECX,DWORD PTR SS:[EBP+8]
  63AF5D46  |. 66:8B51 0C         |MOV DX,WORD PTR DS:[ECX+C]
  63AF5D4A  |. 66:8956 0C         |MOV WORD PTR DS:[ESI+C],DX
  63AF5D4E  |. 0FB755 F4          |MOVZX EDX,WORD PTR SS:[EBP-C]
  63AF5D52  |. 0351 08            |ADD EDX,DWORD PTR DS:[ECX+8]
  63AF5D55  |. 837D EC 00         |CMP DWORD PTR SS:[EBP-14],0
  63AF5D59  |. 8956 08            |MOV DWORD PTR DS:[ESI+8],EDX
  63AF5D5C  |. 0FB749 0E          |MOVZX ECX,WORD PTR DS:[ECX+E]
  63AF5D60  |. 66:894E 0E         |MOV WORD PTR DS:[ESI+E],CX
  63AF5D64  |. 75 0A              |JNZ SHORT rvrender.63AF5D70
  63AF5D66  |. 81E1 FDFF0000      |AND ECX,0FFFD
  63AF5D6C  |. 66:894E 0E         |MOV WORD PTR DS:[ESI+E],CX
  63AF5D70  |> C746 14 00000000   |MOV DWORD PTR DS:[ESI+14],0
  63AF5D77  |. C706 00000000      |MOV DWORD PTR DS:[ESI],0
  63AF5D7D  |. 8B4D FC            |MOV ECX,DWORD PTR SS:[EBP-4]
  63AF5D80  |. 51                 |PUSH ECX                     ; 32bit at offset 0x7801
  63AF5D81  |. 57                 |PUSH EDI                     ; our data
  63AF5D82  |. 50                 |PUSH EAX                     ; heap buffer having the size got at 63AF5C8F
  63AF5D83  |. E8 F8160000        |CALL <JMP.&MSVCR90.memcpy>   ; memcpy
  63AF5D88  |. 8B55 FC            |MOV EDX,DWORD PTR SS:[EBP-4]
  63AF5D8B  |. 83C4 0C            |ADD ESP,0C
  63AF5D8E  |. 8916               |MOV DWORD PTR DS:[ESI],EDX
  63AF5D90  |> 8B4D E4            |MOV ECX,DWORD PTR SS:[EBP-1C]
  63AF5D93  |. 8B45 FC            |MOV EAX,DWORD PTR SS:[EBP-4]
  63AF5D96  |. 8D140B             |LEA EDX,DWORD PTR DS:[EBX+ECX]
  63AF5D99  |. 8B5D F0            |MOV EBX,DWORD PTR SS:[EBP-10]
  63AF5D9C  |. 8B4D F8            |MOV ECX,DWORD PTR SS:[EBP-8]
  63AF5D9F  |. 03D0               |ADD EDX,EAX
  63AF5DA1  |. 2BDA               |SUB EBX,EDX
  63AF5DA3  |. 56                 |PUSH ESI
  63AF5DA4  |. 03F8               |ADD EDI,EAX
  63AF5DA6  |. 895D F0            |MOV DWORD PTR SS:[EBP-10],EBX
  63AF5DA9  |. E8 D2FCFFFF        |CALL rvrender.63AF5A80
  63AF5DAE  |. 56                 |PUSH ESI
  63AF5DAF  |. 8945 E4            |MOV DWORD PTR SS:[EBP-1C],EAX
  63AF5DB2  |. E8 53120000        |CALL <JMP.&MSVCR90.operator delete>
  63AF5DB7  |. 83C4 04            |ADD ESP,4
  63AF5DBA  |. C745 EC 00000000   |MOV DWORD PTR SS:[EBP-14],0
  63AF5DC1  |. 85DB               |TEST EBX,EBX
  63AF5DC3  |.^0F85 E7FEFFFF      \JNZ rvrender.63AF5CB0
  63AF5DC9  |. 8B45 E4            MOV EAX,DWORD PTR SS:[EBP-1C]
  63AF5DCC  |. 5B                 POP EBX
  63AF5DCD  |. 5F                 POP EDI
  63AF5DCE  |. 5E                 POP ESI
  63AF5DCF  |. 8BE5               MOV ESP,EBP
  63AF5DD1  |. 5D                 POP EBP
  63AF5DD2  |. C2 0400            RETN 4


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/real_5.zip
http://www.exploit-db.com/sploits/17019.zip

the amount of data to copy is the 32bit big endian value located at
offset 0x7801 of real_5.ivr.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Novell Netware NWFTPD.NLM DELE
·SpoonFTP 1.2 RETR Denial of Se
·ACTi ASOC 2200 Web Configurato
·Novell Netware 6.5 SP8 Remote
·Fake Webcam 6.1 Crash Proof Of
·Audio Editor Pro 5.0 Buffer Ov
·SpoonFTP 1.2 Denial Of Service
·Ftpdmin 1.0 Denial Of Service
·Siemens Tecnomatix FactoryLink
·MPlayer Lite r33064 m3u SEH Ov
·Iconics GENESIS32 and GENESIS6
·Mediacoder 2011 RC3 m3u Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved