扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 |
####################################################################### Luigi Auriemma Application:RealPlayer http://www.real.com Versions: <= 14.0.1.633 Platforms:Windows, Macintosh OSX, Linux, Symbian, Palm Bug:heap overflow Exploitation: remote Date: 21 Mar 2011 (found 17 Feb 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== RealPlayer is an ugly media player developed by RealNetwork and used mainly for its browser's plugin supporting the proprietary file formats of its developer. ####################################################################### ====== 2) Bug ====== Classical heap overflow during the handling of the IVR files caused by the allocation of a certain amount of data (frame size) decided by the attacker and the copying of another arbitrary amount on the same buffer. From rvrender.dll (base address 63AE0000): 63AF5C70/$ 55 PUSH EBP 63AF5C71|. 8BEC MOV EBP,ESP 63AF5C73|. 83EC 20SUB ESP,20 63AF5C76|. 8B55 08MOV EDX,DWORD PTR SS:[EBP+8] 63AF5C79|. 56 PUSH ESI 63AF5C7A|. 57 PUSH EDI 63AF5C7B|. 8B7A 04MOV EDI,DWORD PTR DS:[EDX+4] 63AF5C7E|. 8A07 MOV AL,BYTE PTR DS:[EDI]; byte at offset 0x7800 of the PoC 63AF5C80|. 24 E0AND AL,0E0 63AF5C82|. 33F6 XOR ESI,ESI 63AF5C84|. 894D F8MOV DWORD PTR SS:[EBP-8],ECX 63AF5C87|. 3C E0CMP AL,0E0; (byte & 0xe0) == 0xe0 63AF5C89|. 0F85 46010000JNZ rvrender.63AF5DD5 63AF5C8F|. 8B0A MOV ECX,DWORD PTR DS:[EDX]; 32bit value at offset 0x77f8 (allocation) 63AF5C91|. 47 INC EDI 63AF5C92|. 83E9 01SUB ECX,1 63AF5C95|. 8975 FCMOV DWORD PTR SS:[EBP-4],ESI 63AF5C98|. 8975 E8MOV DWORD PTR SS:[EBP-18],ESI 63AF5C9B|. C745 EC 01000000 MOV DWORD PTR SS:[EBP-14],1 63AF5CA2|. 894D F0MOV DWORD PTR SS:[EBP-10],ECX 63AF5CA5|. 0F84 38010000JE rvrender.63AF5DE3 63AF5CAB|. 53 PUSH EBX 63AF5CAC|. 8D6424 00LEA ESP,DWORD PTR SS:[ESP] 63AF5CB0|> 57 /PUSH EDI 63AF5CB1|. 8D4D FC|LEA ECX,DWORD PTR SS:[EBP-4] 63AF5CB4|. 51 |PUSH ECX 63AF5CB5|. 8D55 E8|LEA EDX,DWORD PTR SS:[EBP-18] 63AF5CB8|. 52 |PUSH EDX 63AF5CB9|. E8 92010000|CALL rvrender.63AF5E50 63AF5CBE|. 03F8 |ADD EDI,EAX 63AF5CC0|. 8945 E4|MOV DWORD PTR SS:[EBP-1C],EAX 63AF5CC3|. 66:0FB607|MOVZX AX,BYTE PTR DS:[EDI] 63AF5CC7|. 0FB7C8 |MOVZX ECX,AX 63AF5CCA|. 83C4 0C|ADD ESP,0C 63AF5CCD|. 84C9 |TEST CL,CL 63AF5CCF|. 79 0D|JNS SHORT rvrender.63AF5CDE 63AF5CD1|. 83E1 7F|AND ECX,7F 63AF5CD4|. 894D F4|MOV DWORD PTR SS:[EBP-C],ECX 63AF5CD7|. B8 01000000|MOV EAX,1 63AF5CDC|. EB 1E|JMP SHORT rvrender.63AF5CFC 63AF5CDE|> 66:0FB64F 01 |MOVZX CX,BYTE PTR DS:[EDI+1] 63AF5CE3|. C1E0 08|SHL EAX,8 63AF5CE6|. 66:0BC8|OR CX,AX 63AF5CE9|. BA FF7F0000|MOV EDX,7FFF 63AF5CEE|. 66:23CA|AND CX,DX 63AF5CF1|. 0FB7C1 |MOVZX EAX,CX ; 16bit at offset 0x7805 63AF5CF4|. 8945 F4|MOV DWORD PTR SS:[EBP-C],EAX 63AF5CF7|. B8 02000000|MOV EAX,2 63AF5CFC|> 0FB7D8 |MOVZX EBX,AX 63AF5CFF|. 6A 18|PUSH 18 63AF5D01|. 03FB |ADD EDI,EBX 63AF5D03|. E8 FC120000|CALL <JMP.&MSVCR90.operator new> 63AF5D08|. 8BF0 |MOV ESI,EAX 63AF5D0A|. 83C4 04|ADD ESP,4 63AF5D0D|. 85F6 |TEST ESI,ESI 63AF5D0F|. 74 7F|JE SHORT rvrender.63AF5D90 63AF5D11|. 8B4D FC|MOV ECX,DWORD PTR SS:[EBP-4] 63AF5D14|. 51 |PUSH ECX 63AF5D15|. 8B4D F8|MOV ECX,DWORD PTR SS:[EBP-8] 63AF5D18|. E8 D3F2FFFF|CALL rvrender.63AF4FF0 63AF5D1D|. 85C0 |TEST EAX,EAX 63AF5D1F|. 75 0B|JNZ SHORT rvrender.63AF5D2C 63AF5D21|. 56 |PUSH ESI 63AF5D22|. E8 E3120000|CALL <JMP.&MSVCR90.operator delete> 63AF5D27|. 83C4 04|ADD ESP,4 63AF5D2A|. 33F6 |XOR ESI,ESI 63AF5D2C|> 8B55 F8|MOV EDX,DWORD PTR SS:[EBP-8] 63AF5D2F|. 8B0A |MOV ECX,DWORD PTR DS:[EDX] 63AF5D31|. 8B01 |MOV EAX,DWORD PTR DS:[ECX] 63AF5D33|. 8B40 0C|MOV EAX,DWORD PTR DS:[EAX+C] 63AF5D36|. 8D55 E0|LEA EDX,DWORD PTR SS:[EBP-20] 63AF5D39|. 52 |PUSH EDX 63AF5D3A|. FFD0 |CALL EAX 63AF5D3C|. 8946 04|MOV DWORD PTR DS:[ESI+4],EAX 63AF5D3F|. 85C0 |TEST EAX,EAX 63AF5D41|. 74 4D|JE SHORT rvrender.63AF5D90 63AF5D43|. 8B4D 08|MOV ECX,DWORD PTR SS:[EBP+8] 63AF5D46|. 66:8B51 0C |MOV DX,WORD PTR DS:[ECX+C] 63AF5D4A|. 66:8956 0C |MOV WORD PTR DS:[ESI+C],DX 63AF5D4E|. 0FB755 F4|MOVZX EDX,WORD PTR SS:[EBP-C] 63AF5D52|. 0351 08|ADD EDX,DWORD PTR DS:[ECX+8] 63AF5D55|. 837D EC 00 |CMP DWORD PTR SS:[EBP-14],0 63AF5D59|. 8956 08|MOV DWORD PTR DS:[ESI+8],EDX 63AF5D5C|. 0FB749 0E|MOVZX ECX,WORD PTR DS:[ECX+E] 63AF5D60|. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX 63AF5D64|. 75 0A|JNZ SHORT rvrender.63AF5D70 63AF5D66|. 81E1 FDFF0000|AND ECX,0FFFD 63AF5D6C|. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX 63AF5D70|> C746 14 00000000 |MOV DWORD PTR DS:[ESI+14],0 63AF5D77|. C706 00000000|MOV DWORD PTR DS:[ESI],0 63AF5D7D|. 8B4D FC|MOV ECX,DWORD PTR SS:[EBP-4] 63AF5D80|. 51 |PUSH ECX ; 32bit at offset 0x7801 63AF5D81|. 57 |PUSH EDI ; our data 63AF5D82|. 50 |PUSH EAX ; heap buffer having the size got at 63AF5C8F 63AF5D83|. E8 F8160000|CALL <JMP.&MSVCR90.memcpy> ; memcpy 63AF5D88|. 8B55 FC|MOV EDX,DWORD PTR SS:[EBP-4] 63AF5D8B|. 83C4 0C|ADD ESP,0C 63AF5D8E|. 8916 |MOV DWORD PTR DS:[ESI],EDX 63AF5D90|> 8B4D E4|MOV ECX,DWORD PTR SS:[EBP-1C] 63AF5D93|. 8B45 FC|MOV EAX,DWORD PTR SS:[EBP-4] 63AF5D96|. 8D140B |LEA EDX,DWORD PTR DS:[EBX+ECX] 63AF5D99|. 8B5D F0|MOV EBX,DWORD PTR SS:[EBP-10] 63AF5D9C|. 8B4D F8|MOV ECX,DWORD PTR SS:[EBP-8] 63AF5D9F|. 03D0 |ADD EDX,EAX 63AF5DA1|. 2BDA |SUB EBX,EDX 63AF5DA3|. 56 |PUSH ESI 63AF5DA4|. 03F8 |ADD EDI,EAX 63AF5DA6|. 895D F0|MOV DWORD PTR SS:[EBP-10],EBX 63AF5DA9|. E8 D2FCFFFF|CALL rvrender.63AF5A80 63AF5DAE|. 56 |PUSH ESI 63AF5DAF|. 8945 E4|MOV DWORD PTR SS:[EBP-1C],EAX 63AF5DB2|. E8 53120000|CALL <JMP.&MSVCR90.operator delete> 63AF5DB7|. 83C4 04|ADD ESP,4 63AF5DBA|. C745 EC 00000000 |MOV DWORD PTR SS:[EBP-14],0 63AF5DC1|. 85DB |TEST EBX,EBX 63AF5DC3|.^0F85 E7FEFFFF\JNZ rvrender.63AF5CB0 63AF5DC9|. 8B45 E4MOV EAX,DWORD PTR SS:[EBP-1C] 63AF5DCC|. 5B POP EBX 63AF5DCD|. 5F POP EDI 63AF5DCE|. 5E POP ESI 63AF5DCF|. 8BE5 MOV ESP,EBP 63AF5DD1|. 5D POP EBP 63AF5DD2|. C2 0400RETN 4 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/real_5.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17019.zip the amount of data to copy is the 32bit big endian value located at offset 0x7801 of real_5.ivr. ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### |
体验盒子
