RealPlayer 14.0.1.633 – Heap Overflow

• Exploit Database
• 13 阅读

• 作者： Luigi Auriemma
  日期： 2011-03-21
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17019/

• #######################################################################
  
   Luigi Auriemma
  
  Application:RealPlayer
  http://www.real.com
  Versions: <= 14.0.1.633
  Platforms:Windows, Macintosh OSX, Linux, Symbian, Palm
  Bug:heap overflow
  Exploitation: remote
  Date: 21 Mar 2011 (found 17 Feb 2011)
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  RealPlayer is an ugly media player developed by RealNetwork and used
  mainly for its browser's plugin supporting the proprietary file formats
  of its developer.
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  Classical heap overflow during the handling of the IVR files caused by
  the allocation of a certain amount of data (frame size) decided by the
  attacker and the copying of another arbitrary amount on the same
  buffer.
  From rvrender.dll (base address 63AE0000):
  
  63AF5C70/$ 55 PUSH EBP
  63AF5C71|. 8BEC MOV EBP,ESP
  63AF5C73|. 83EC 20SUB ESP,20
  63AF5C76|. 8B55 08MOV EDX,DWORD PTR SS:[EBP+8]
  63AF5C79|. 56 PUSH ESI
  63AF5C7A|. 57 PUSH EDI
  63AF5C7B|. 8B7A 04MOV EDI,DWORD PTR DS:[EDX+4]
  63AF5C7E|. 8A07 MOV AL,BYTE PTR DS:[EDI]; byte at offset 0x7800 of the PoC
  63AF5C80|. 24 E0AND AL,0E0
  63AF5C82|. 33F6 XOR ESI,ESI
  63AF5C84|. 894D F8MOV DWORD PTR SS:[EBP-8],ECX
  63AF5C87|. 3C E0CMP AL,0E0; (byte & 0xe0) == 0xe0
  63AF5C89|. 0F85 46010000JNZ rvrender.63AF5DD5
  63AF5C8F|. 8B0A MOV ECX,DWORD PTR DS:[EDX]; 32bit value at offset 0x77f8 (allocation)
  63AF5C91|. 47 INC EDI
  63AF5C92|. 83E9 01SUB ECX,1
  63AF5C95|. 8975 FCMOV DWORD PTR SS:[EBP-4],ESI
  63AF5C98|. 8975 E8MOV DWORD PTR SS:[EBP-18],ESI
  63AF5C9B|. C745 EC 01000000 MOV DWORD PTR SS:[EBP-14],1
  63AF5CA2|. 894D F0MOV DWORD PTR SS:[EBP-10],ECX
  63AF5CA5|. 0F84 38010000JE rvrender.63AF5DE3
  63AF5CAB|. 53 PUSH EBX
  63AF5CAC|. 8D6424 00LEA ESP,DWORD PTR SS:[ESP]
  63AF5CB0|> 57 /PUSH EDI
  63AF5CB1|. 8D4D FC|LEA ECX,DWORD PTR SS:[EBP-4]
  63AF5CB4|. 51 |PUSH ECX
  63AF5CB5|. 8D55 E8|LEA EDX,DWORD PTR SS:[EBP-18]
  63AF5CB8|. 52 |PUSH EDX
  63AF5CB9|. E8 92010000|CALL rvrender.63AF5E50
  63AF5CBE|. 03F8 |ADD EDI,EAX
  63AF5CC0|. 8945 E4|MOV DWORD PTR SS:[EBP-1C],EAX
  63AF5CC3|. 66:0FB607|MOVZX AX,BYTE PTR DS:[EDI]
  63AF5CC7|. 0FB7C8 |MOVZX ECX,AX
  63AF5CCA|. 83C4 0C|ADD ESP,0C
  63AF5CCD|. 84C9 |TEST CL,CL
  63AF5CCF|. 79 0D|JNS SHORT rvrender.63AF5CDE
  63AF5CD1|. 83E1 7F|AND ECX,7F
  63AF5CD4|. 894D F4|MOV DWORD PTR SS:[EBP-C],ECX
  63AF5CD7|. B8 01000000|MOV EAX,1
  63AF5CDC|. EB 1E|JMP SHORT rvrender.63AF5CFC
  63AF5CDE|> 66:0FB64F 01 |MOVZX CX,BYTE PTR DS:[EDI+1]
  63AF5CE3|. C1E0 08|SHL EAX,8
  63AF5CE6|. 66:0BC8|OR CX,AX
  63AF5CE9|. BA FF7F0000|MOV EDX,7FFF
  63AF5CEE|. 66:23CA|AND CX,DX
  63AF5CF1|. 0FB7C1 |MOVZX EAX,CX ; 16bit at offset 0x7805
  63AF5CF4|. 8945 F4|MOV DWORD PTR SS:[EBP-C],EAX
  63AF5CF7|. B8 02000000|MOV EAX,2
  63AF5CFC|> 0FB7D8 |MOVZX EBX,AX
  63AF5CFF|. 6A 18|PUSH 18
  63AF5D01|. 03FB |ADD EDI,EBX
  63AF5D03|. E8 FC120000|CALL <JMP.&MSVCR90.operator new>
  63AF5D08|. 8BF0 |MOV ESI,EAX
  63AF5D0A|. 83C4 04|ADD ESP,4
  63AF5D0D|. 85F6 |TEST ESI,ESI
  63AF5D0F|. 74 7F|JE SHORT rvrender.63AF5D90
  63AF5D11|. 8B4D FC|MOV ECX,DWORD PTR SS:[EBP-4]
  63AF5D14|. 51 |PUSH ECX
  63AF5D15|. 8B4D F8|MOV ECX,DWORD PTR SS:[EBP-8]
  63AF5D18|. E8 D3F2FFFF|CALL rvrender.63AF4FF0
  63AF5D1D|. 85C0 |TEST EAX,EAX
  63AF5D1F|. 75 0B|JNZ SHORT rvrender.63AF5D2C
  63AF5D21|. 56 |PUSH ESI
  63AF5D22|. E8 E3120000|CALL <JMP.&MSVCR90.operator delete>
  63AF5D27|. 83C4 04|ADD ESP,4
  63AF5D2A|. 33F6 |XOR ESI,ESI
  63AF5D2C|> 8B55 F8|MOV EDX,DWORD PTR SS:[EBP-8]
  63AF5D2F|. 8B0A |MOV ECX,DWORD PTR DS:[EDX]
  63AF5D31|. 8B01 |MOV EAX,DWORD PTR DS:[ECX]
  63AF5D33|. 8B40 0C|MOV EAX,DWORD PTR DS:[EAX+C]
  63AF5D36|. 8D55 E0|LEA EDX,DWORD PTR SS:[EBP-20]
  63AF5D39|. 52 |PUSH EDX
  63AF5D3A|. FFD0 |CALL EAX
  63AF5D3C|. 8946 04|MOV DWORD PTR DS:[ESI+4],EAX
  63AF5D3F|. 85C0 |TEST EAX,EAX
  63AF5D41|. 74 4D|JE SHORT rvrender.63AF5D90
  63AF5D43|. 8B4D 08|MOV ECX,DWORD PTR SS:[EBP+8]
  63AF5D46|. 66:8B51 0C |MOV DX,WORD PTR DS:[ECX+C]
  63AF5D4A|. 66:8956 0C |MOV WORD PTR DS:[ESI+C],DX
  63AF5D4E|. 0FB755 F4|MOVZX EDX,WORD PTR SS:[EBP-C]
  63AF5D52|. 0351 08|ADD EDX,DWORD PTR DS:[ECX+8]
  63AF5D55|. 837D EC 00 |CMP DWORD PTR SS:[EBP-14],0
  63AF5D59|. 8956 08|MOV DWORD PTR DS:[ESI+8],EDX
  63AF5D5C|. 0FB749 0E|MOVZX ECX,WORD PTR DS:[ECX+E]
  63AF5D60|. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX
  63AF5D64|. 75 0A|JNZ SHORT rvrender.63AF5D70
  63AF5D66|. 81E1 FDFF0000|AND ECX,0FFFD
  63AF5D6C|. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX
  63AF5D70|> C746 14 00000000 |MOV DWORD PTR DS:[ESI+14],0
  63AF5D77|. C706 00000000|MOV DWORD PTR DS:[ESI],0
  63AF5D7D|. 8B4D FC|MOV ECX,DWORD PTR SS:[EBP-4]
  63AF5D80|. 51 |PUSH ECX ; 32bit at offset 0x7801
  63AF5D81|. 57 |PUSH EDI ; our data
  63AF5D82|. 50 |PUSH EAX ; heap buffer having the size got at 63AF5C8F
  63AF5D83|. E8 F8160000|CALL <JMP.&MSVCR90.memcpy> ; memcpy
  63AF5D88|. 8B55 FC|MOV EDX,DWORD PTR SS:[EBP-4]
  63AF5D8B|. 83C4 0C|ADD ESP,0C
  63AF5D8E|. 8916 |MOV DWORD PTR DS:[ESI],EDX
  63AF5D90|> 8B4D E4|MOV ECX,DWORD PTR SS:[EBP-1C]
  63AF5D93|. 8B45 FC|MOV EAX,DWORD PTR SS:[EBP-4]
  63AF5D96|. 8D140B |LEA EDX,DWORD PTR DS:[EBX+ECX]
  63AF5D99|. 8B5D F0|MOV EBX,DWORD PTR SS:[EBP-10]
  63AF5D9C|. 8B4D F8|MOV ECX,DWORD PTR SS:[EBP-8]
  63AF5D9F|. 03D0 |ADD EDX,EAX
  63AF5DA1|. 2BDA |SUB EBX,EDX
  63AF5DA3|. 56 |PUSH ESI
  63AF5DA4|. 03F8 |ADD EDI,EAX
  63AF5DA6|. 895D F0|MOV DWORD PTR SS:[EBP-10],EBX
  63AF5DA9|. E8 D2FCFFFF|CALL rvrender.63AF5A80
  63AF5DAE|. 56 |PUSH ESI
  63AF5DAF|. 8945 E4|MOV DWORD PTR SS:[EBP-1C],EAX
  63AF5DB2|. E8 53120000|CALL <JMP.&MSVCR90.operator delete>
  63AF5DB7|. 83C4 04|ADD ESP,4
  63AF5DBA|. C745 EC 00000000 |MOV DWORD PTR SS:[EBP-14],0
  63AF5DC1|. 85DB |TEST EBX,EBX
  63AF5DC3|.^0F85 E7FEFFFF\JNZ rvrender.63AF5CB0
  63AF5DC9|. 8B45 E4MOV EAX,DWORD PTR SS:[EBP-1C]
  63AF5DCC|. 5B POP EBX
  63AF5DCD|. 5F POP EDI
  63AF5DCE|. 5E POP ESI
  63AF5DCF|. 8BE5 MOV ESP,EBP
  63AF5DD1|. 5D POP EBP
  63AF5DD2|. C2 0400RETN 4
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/poc/real_5.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17019.zip
  
  the amount of data to copy is the 32bit big endian value located at
  offset 0x7801 of real_5.ivr.
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################