RealPlayer 15.0.6.14 (.3GP) Arbitrary Code Execution POC



EKU-ID: 2730 CVE: OSVDB-ID:
Author: coolkaveh Published: 2012-10-22 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Title    :  RealPlayer 15.0.6.14 (.3GP) Arbitrary Code Execution
Version  :  15.0.6.14
Date     :  2012-10-18
Vendor   :  http://www.real.com/
Impact   :  High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  XP SP3 ENG
Author   :  coolkaveh
#####################################################################
Executable search path is:
ModLoad: 00400000 00407000   rphelperapp.exe
ModLoad: 7c900000 7c9b2000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 774e0000 7761e000   C:\WINDOWS\system32\ole32.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f03000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 61740000 617a3000   C:\Program
Files\Real\RealPlayer\plugins\vidsite.dll
ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 78520000 785c3000
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\MSVCR90.dll
(1a2c.1bb0): Break instruction exception - code 80000003 (first chance)
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 629c0000 629c9000   C:\WINDOWS\system32\LPK.DLL
ModLoad: 74d90000 74dfb000   C:\WINDOWS\system32\USP10.dll
ModLoad: 604d0000 6057b000   C:\Program
Files\Real\RealPlayer\codecs\colorcvt.dll
ModLoad: 7c340000 7c396000   C:\WINDOWS\system32\MSVCR71.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 7c9c0000 7d1d8000   C:\WINDOWS\system32\shell32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
ModLoad: 5d090000 5d12a000   C:\WINDOWS\system32\comctl32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76980000 76988000   C:\WINDOWS\system32\LINKINFO.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 73760000 737ab000   C:\WINDOWS\system32\DDRAW.DLL
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\winspool.drv
ModLoad: 62380000 62398000   C:\Program
Files\Real\RealPlayer\common\twebbrowse.dll
ModLoad: 3e1c0000 3ec5d000   C:\WINDOWS\system32\ieframe.dll
ModLoad: 64650000 646ba000   C:\Documents and Settings\All
Users\Application
Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 63600000 6360b000   C:\Program
Files\Real\RealPlayer\mpaplugins\mpazip.dll
ModLoad: 30000000 30023000   C:\Program Files\Real\RealPlayer\dunzip32.dll
ModLoad: 71e50000 71e65000   C:\WINDOWS\system32\msapsspc.dll
ModLoad: 78080000 78091000   C:\WINDOWS\system32\MSVCRT40.dll
ModLoad: 767f0000 76819000   C:\WINDOWS\system32\schannel.dll
ModLoad: 59c00000 59c07000   C:\WINDOWS\system32\credssp.dll
ModLoad: 75b00000 75b15000   C:\WINDOWS\system32\digest.dll
ModLoad: 747b0000 747f7000   C:\WINDOWS\system32\msnsspc.dll
ModLoad: 78080000 78091000   C:\WINDOWS\system32\MSVCRT40.dll
ModLoad: 59c00000 59c07000   C:\WINDOWS\system32\credssp.dll
ModLoad: 767f0000 76819000   C:\WINDOWS\system32\schannel.dll
ModLoad: 77c70000 77c95000   C:\WINDOWS\system32\msv1_0.dll
ModLoad: 76790000 7679c000   C:\WINDOWS\system32\cryptdll.dll
ModLoad: 722b0000 722b5000   C:\WINDOWS\system32\sensapi.dll
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 7e720000 7e7d0000   C:\WINDOWS\system32\SXS.DLL
ModLoad: 3cea0000 3d45e000   C:\WINDOWS\system32\mshtml.dll
ModLoad: 042b0000 042d9000   C:\WINDOWS\system32\msls31.dll
ModLoad: 71800000 71888000   C:\WINDOWS\system32\SHDOCLC.DLL
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 75cf0000 75d81000   C:\WINDOWS\system32\MLANG.dll
ModLoad: 73760000 737ab000   C:\WINDOWS\system32\DDRAW.DLL
ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 746f0000 7471a000   C:\WINDOWS\system32\msimtf.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 63600000 6360b000   C:\Program
Files\Real\RealPlayer\mpaplugins\mpazip.dll
ModLoad: 30000000 30023000   C:\Program Files\Real\RealPlayer\dunzip32.dll
ModLoad: 72d10000 72d18000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77bd0000 77bd7000   C:\WINDOWS\system32\midimap.dll
ModLoad: 73ee0000 73ee4000   C:\WINDOWS\system32\KsUser.dll
ModLoad: 614b0000 614c9000   C:\Program
Files\Real\RealPlayer\hxaudiodevicehook.dll
ModLoad: 614b0000 614c9000   C:\Program
Files\Real\RealPlayer\hxaudiodevicehook.dll
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): C++ EH exception - code e06d7363 (first chance)
(1f48.1ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02ba99b0 ebx=244fe2d0 ecx=0012f5ac edx=0012f5bc esi=00000000 edi=00000004
eip=614394df esp=3d891890 ebp=0012f578 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00250206
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\Program Files\Real\RealPlayer\codecs\dmp4.dll -
dmp4!GetGUID+0x1836f:
614394df 8944241c        mov     dword ptr [esp+1Ch],eax
ss:0023:3d8918ac=????????
0:000> r;!exploitable -v;q
eax=02ba99b0 ebx=244fe2d0 ecx=0012f5ac edx=0012f5bc esi=00000000 edi=00000004
eip=614394df esp=3d891890 ebp=0012f578 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00250206
dmp4!GetGUID+0x1836f:
614394df 8944241c        mov     dword ptr [esp+1Ch],eax
ss:0023:3d8918ac=????????
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for ntdll.dll -
Exception Faulting Address: 0x3d8918ac
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x247c7f22.0x247c7f63

Stack Trace:
dmp4!GetGUID+0x1836f
Instruction Address: 0x00000000614394df

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
dmp4!GetGUID+0x000000000001836f (Hash=0x247c7f22.0x247c7f63)

User mode write access violations that are not near NULL are exploitable.
#####################################################################

Proof of concept

http://seclists.org/fulldisclosure/2012/Oct/att-123/POC_rar.bin

#####################################################################