TUCoPS :: HP Unsorted R :: tb13648.htm

Realplayer 11 ActiveX on Win Vista and Win XP SP2 DoS
DOS in Realplayer 11 ActiveX on Win Vista and Win XP SP2
DOS in Realplayer 11 ActiveX on Win Vista and Win XP SP2


+-----------------------------------------------------------------.
Affected    : Realplayer 11 ActiveX on Win Vista and Win XP SP2   :
Type        : DOS Attack                                          :
Date        : 28-11-2007                                          :
Author      : Adonis, Abed                                        :
Link : http://www.safehack.com/Advisory/realpdos.txt :
+-----------------------------------------------------------------.
                                                                  :

+-------------.                                                   :
 Brief History \                                                  :
+---------------`-------------------------------------------------.
GetSourceTransport() fails to handle exceptional conditions, which:
leads to a DoS (Denial of Service) attack.                        :
                                                                  :
GetSourceTransport() is found in rmoc3260.dll which is installed  :
with RealPlayer 11.                                               :
                                                                  :
Note: This ActiveX can be loaded by IE or any other browser.      :
                                                                  :
Successful exploitation will lead to a remote crash in IE 6/7.    :
                                                                  :
+-----------.                                                     :
 The Problem \                                                    :
+-------------`---------------------------------------------------.
RealPlayer 11 ActiveX DoS Proof-of-Concept                        :
                                                                  :
                                                                  :
-:PoC:-                                                           :
1- Copy and past the following code into filepoc.wsf              :
2- Run it by double clicking on it                                :
---------------------------------------------------snip-----------:




---------------------------------------------------snip-----------:

Registers:
--------------------------------------------------
EIP 637F4A02 -> 00000000
EAX 0022EC44 -> 00000000
EBX 663CCB38 -> 663B7400 -> Uni: t;ft;f
ECX 0022EC44 -> 00000000
EDX 01536388 -> 638416B8
EDI 00000000
ESI 00000000
EBP 0022EC68 -> 0022EC78
ESP 0022EC3C -> 00000000

Block Disassembly:
--------------------------------------------------
637F49F2        JE SHORT 637F49F8
637F49F4        MOV ESI,EAX
637F49F6        JMP SHORT 637F49FA
637F49F8        XOR ESI,ESI
637F49FA        LEA ECX,[EBP-24]
637F49FD        CALL 6381C1F0
637F4A02        MOV EDX,[ESI]     <--- CRASH
637F4A04        LEA EAX,[EBP-4]
637F4A07        PUSH EAX
637F4A08        PUSH 638427D8
637F4A0D        PUSH ESI
637F4A0E        CALL [EDX]
637F4A10        MOV EAX,[EBP+8]
637F4A13        SUB EAX,46
637F4A16        JE 637F4B28

Stack Dump:
--------------------------------------------------
22EC3C 00 00 00 00 F4 EC 22 00 00 00 00 00 F4 EC 22 07  [................]
22EC4C C0 6D 53 01 00 00 00 00 30 ED 22 00 00 00 00 00  [.mS.............]
22EC5C 00 00 00 00 DC 9A 2B 00 00 00 00 00 78 EC 22 00  [................]
22EC6C A8 C7 7F 63 47 00 00 00 FF 7F 00 00 90 EC 22 00  [...cG...........]
22EC7C 8E 48 3B 66 88 63 53 01 47 00 00 00 FF 7F 00 00  [.H.f.cS.G.......]
                                                                  :
                                                                  :
Peace to you all:all and Happy New Year full of health and Peace  :
+-----------------------------------------------------------------.











TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).


Site design & layout copyright © 1986-2025 AOH