|
RealPlayer 15.0.6.14 (.3GP) Arbitrary Code Execution POC
|
|
来源:coolkaveh [at] rocketmail.com 作者:coolkaveh 发布时间:2012-10-22
|
|
Title : RealPlayer 15.0.6.14 (.3GP) Arbitrary Code Execution
Version : 15.0.6.14
Date : 2012-10-18
Vendor : http://www.real.com/
Impact : High
Contact : coolkaveh [at] rocketmail.com
Twitter : @coolkaveh
tested : XP SP3 ENG
Author : coolkaveh
#####################################################################
Executable search path is:
ModLoad: 00400000 00407000 rphelperapp.exe
ModLoad: 7c900000 7c9b2000 ntdll.dll
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f03000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 61740000 617a3000 C:\Program
Files\Real\RealPlayer\plugins\vidsite.dll
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 78520000 785c3000
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\MSVCR90.dll
(1a2c.1bb0): Break instruction exception - code 80000003 (first chance)
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL
ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll
ModLoad: 604d0000 6057b000 C:\Program
Files\Real\RealPlayer\codecs\colorcvt.dll
ModLoad: 7c340000 7c396000 C:\WINDOWS\system32\MSVCR71.dll
ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll
ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 7c9c0000 7d1d8000 C:\WINDOWS\system32\shell32.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
ModLoad: 5d090000 5d12a000 C:\WINDOWS\system32\comctl32.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll
ModLoad: 76990000 769b5000 C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000 C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll
ModLoad: 73760000 737ab000 C:\WINDOWS\system32\DDRAW.DLL
ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll
ModLoad: 73000000 73026000 C:\WINDOWS\system32\winspool.drv
ModLoad: 62380000 62398000 C:\Program
Files\Real\RealPlayer\common\twebbrowse.dll
ModLoad: 3e1c0000 3ec5d000 C:\WINDOWS\system32\ieframe.dll
ModLoad: 64650000 646ba000 C:\Documents and Settings\All
Users\Application
Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll
ModLoad: 63600000 6360b000 C:\Program
Files\Real\RealPlayer\mpaplugins\mpazip.dll
ModLoad: 30000000 30023000 C:\Program Files\Real\RealPlayer\dunzip32.dll
ModLoad: 71e50000 71e65000 C:\WINDOWS\system32\msapsspc.dll
ModLoad: 78080000 78091000 C:\WINDOWS\system32\MSVCRT40.dll
ModLoad: 767f0000 76819000 C:\WINDOWS\system32\schannel.dll
ModLoad: 59c00000 59c07000 C:\WINDOWS\system32\credssp.dll
ModLoad: 75b00000 75b15000 C:\WINDOWS\system32\digest.dll
ModLoad: 747b0000 747f7000 C:\WINDOWS\system32\msnsspc.dll
ModLoad: 78080000 78091000 C:\WINDOWS\system32\MSVCRT40.dll
ModLoad: 59c00000 59c07000 C:\WINDOWS\system32\credssp.dll
ModLoad: 767f0000 76819000 C:\WINDOWS\system32\schannel.dll
ModLoad: 77c70000 77c95000 C:\WINDOWS\system32\msv1_0.dll
ModLoad: 76790000 7679c000 C:\WINDOWS\system32\cryptdll.dll
ModLoad: 722b0000 722b5000 C:\WINDOWS\system32\sensapi.dll
ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll
ModLoad: 7e720000 7e7d0000 C:\WINDOWS\system32\SXS.DLL
ModLoad: 3cea0000 3d45e000 C:\WINDOWS\system32\mshtml.dll
ModLoad: 042b0000 042d9000 C:\WINDOWS\system32\msls31.dll
ModLoad: 71800000 71888000 C:\WINDOWS\system32\SHDOCLC.DLL
ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 75cf0000 75d81000 C:\WINDOWS\system32\MLANG.dll
ModLoad: 73760000 737ab000 C:\WINDOWS\system32\DDRAW.DLL
ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 746f0000 7471a000 C:\WINDOWS\system32\msimtf.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 63600000 6360b000 C:\Program
Files\Real\RealPlayer\mpaplugins\mpazip.dll
ModLoad: 30000000 30023000 C:\Program Files\Real\RealPlayer\dunzip32.dll
ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 73ee0000 73ee4000 C:\WINDOWS\system32\KsUser.dll
ModLoad: 614b0000 614c9000 C:\Program
Files\Real\RealPlayer\hxaudiodevicehook.dll
ModLoad: 614b0000 614c9000 C:\Program
Files\Real\RealPlayer\hxaudiodevicehook.dll
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02ba99b0 ebx=244fe2d0 ecx=0012f5ac edx=0012f5bc esi=00000000 edi=00000004
eip=614394df esp=3d891890 ebp=0012f578 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00250206
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\Program Files\Real\RealPlayer\codecs\dmp4.dll -
dmp4!GetGUID+0x1836f:
614394df 8944241c mov dword ptr [esp+1Ch],eax
ss:0023:3d8918ac=????????
0:000> r;!exploitable -v;q
eax=02ba99b0 ebx=244fe2d0 ecx=0012f5ac edx=0012f5bc esi=00000000 edi=00000004
eip=614394df esp=3d891890 ebp=0012f578 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00250206
dmp4!GetGUID+0x1836f:
614394df 8944241c mov dword ptr [esp+1Ch],eax
ss:0023:3d8918ac=????????
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for ntdll.dll -
Exception Faulting Address: 0x3d8918ac
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0x247c7f22.0x247c7f63
Stack Trace:
dmp4!GetGUID+0x1836f
Instruction Address: 0x00000000614394df
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
dmp4!GetGUID+0x000000000001836f (Hash=0x247c7f22.0x247c7f63)
User mode write access violations that are not near NULL are exploitable.
#####################################################################
Proof of concept
http://seclists.org/fulldisclosure/2012/Oct/att-123/POC_rar.bin
#####################################################################
# 1337day.com [2012-10-22]
|
| |
|
[ 推荐]
[ 评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
