####################################################################### Luigi Auriemma Application: RealPlayer http://www.real.com Versions: <= 14.0.2.633 Platforms: Windows, Macintosh OSX, Linux, Symbian, Palm Bug: heap overflow Exploitation: remote Date: 21 Mar 2011 (found 17 Feb 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== RealPlayer is an ugly media player developed by RealNetwork and used mainly for its browser's plugin supporting the proprietary file formats of its developer. ####################################################################### ====== 2) Bug ====== Classical heap overflow during the handling of the IVR files caused by the allocation of a certain amount of data (frame size) decided by the attacker and the copying of another arbitrary amount on the same buffer. From rvrender.dll (base address 63AE0000): 63AF5C70 /$ 55 PUSH EBP 63AF5C71 |. 8BEC MOV EBP,ESP 63AF5C73 |. 83EC 20 SUB ESP,20 63AF5C76 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 63AF5C79 |. 56 PUSH ESI 63AF5C7A |. 57 PUSH EDI 63AF5C7B |. 8B7A 04 MOV EDI,DWORD PTR DS:[EDX+4] 63AF5C7E |. 8A07 MOV AL,BYTE PTR DS:[EDI] ; byte at offset 0x7800 of the PoC 63AF5C80 |. 24 E0 AND AL,0E0 63AF5C82 |. 33F6 XOR ESI,ESI 63AF5C84 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX 63AF5C87 |. 3C E0 CMP AL,0E0 ; (byte & 0xe0) == 0xe0 63AF5C89 |. 0F85 46010000 JNZ rvrender.63AF5DD5 63AF5C8F |. 8B0A MOV ECX,DWORD PTR DS:[EDX] ; 32bit value at offset 0x77f8 (allocation) 63AF5C91 |. 47 INC EDI 63AF5C92 |. 83E9 01 SUB ECX,1 63AF5C95 |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 63AF5C98 |. 8975 E8 MOV DWORD PTR SS:[EBP-18],ESI 63AF5C9B |. C745 EC 01000000 MOV DWORD PTR SS:[EBP-14],1 63AF5CA2 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX 63AF5CA5 |. 0F84 38010000 JE rvrender.63AF5DE3 63AF5CAB |. 53 PUSH EBX 63AF5CAC |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 63AF5CB0 |> 57 /PUSH EDI 63AF5CB1 |. 8D4D FC |LEA ECX,DWORD PTR SS:[EBP-4] 63AF5CB4 |. 51 |PUSH ECX 63AF5CB5 |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18] 63AF5CB8 |. 52 |PUSH EDX 63AF5CB9 |. E8 92010000 |CALL rvrender.63AF5E50 63AF5CBE |. 03F8 |ADD EDI,EAX 63AF5CC0 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX 63AF5CC3 |. 66:0FB607 |MOVZX AX,BYTE PTR DS:[EDI] 63AF5CC7 |. 0FB7C8 |MOVZX ECX,AX 63AF5CCA |. 83C4 0C |ADD ESP,0C 63AF5CCD |. 84C9 |TEST CL,CL 63AF5CCF |. 79 0D |JNS SHORT rvrender.63AF5CDE 63AF5CD1 |. 83E1 7F |AND ECX,7F 63AF5CD4 |. 894D F4 |MOV DWORD PTR SS:[EBP-C],ECX 63AF5CD7 |. B8 01000000 |MOV EAX,1 63AF5CDC |. EB 1E |JMP SHORT rvrender.63AF5CFC 63AF5CDE |> 66:0FB64F 01 |MOVZX CX,BYTE PTR DS:[EDI+1] 63AF5CE3 |. C1E0 08 |SHL EAX,8 63AF5CE6 |. 66:0BC8 |OR CX,AX 63AF5CE9 |. BA FF7F0000 |MOV EDX,7FFF 63AF5CEE |. 66:23CA |AND CX,DX 63AF5CF1 |. 0FB7C1 |MOVZX EAX,CX ; 16bit at offset 0x7805 63AF5CF4 |. 8945 F4 |MOV DWORD PTR SS:[EBP-C],EAX 63AF5CF7 |. B8 02000000 |MOV EAX,2 63AF5CFC |> 0FB7D8 |MOVZX EBX,AX 63AF5CFF |. 6A 18 |PUSH 18 63AF5D01 |. 03FB |ADD EDI,EBX 63AF5D03 |. E8 FC120000 |CALL 63AF5D08 |. 8BF0 |MOV ESI,EAX 63AF5D0A |. 83C4 04 |ADD ESP,4 63AF5D0D |. 85F6 |TEST ESI,ESI 63AF5D0F |. 74 7F |JE SHORT rvrender.63AF5D90 63AF5D11 |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4] 63AF5D14 |. 51 |PUSH ECX 63AF5D15 |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8] 63AF5D18 |. E8 D3F2FFFF |CALL rvrender.63AF4FF0 63AF5D1D |. 85C0 |TEST EAX,EAX 63AF5D1F |. 75 0B |JNZ SHORT rvrender.63AF5D2C 63AF5D21 |. 56 |PUSH ESI 63AF5D22 |. E8 E3120000 |CALL 63AF5D27 |. 83C4 04 |ADD ESP,4 63AF5D2A |. 33F6 |XOR ESI,ESI 63AF5D2C |> 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8] 63AF5D2F |. 8B0A |MOV ECX,DWORD PTR DS:[EDX] 63AF5D31 |. 8B01 |MOV EAX,DWORD PTR DS:[ECX] 63AF5D33 |. 8B40 0C |MOV EAX,DWORD PTR DS:[EAX+C] 63AF5D36 |. 8D55 E0 |LEA EDX,DWORD PTR SS:[EBP-20] 63AF5D39 |. 52 |PUSH EDX 63AF5D3A |. FFD0 |CALL EAX 63AF5D3C |. 8946 04 |MOV DWORD PTR DS:[ESI+4],EAX 63AF5D3F |. 85C0 |TEST EAX,EAX 63AF5D41 |. 74 4D |JE SHORT rvrender.63AF5D90 63AF5D43 |. 8B4D 08 |MOV ECX,DWORD PTR SS:[EBP+8] 63AF5D46 |. 66:8B51 0C |MOV DX,WORD PTR DS:[ECX+C] 63AF5D4A |. 66:8956 0C |MOV WORD PTR DS:[ESI+C],DX 63AF5D4E |. 0FB755 F4 |MOVZX EDX,WORD PTR SS:[EBP-C] 63AF5D52 |. 0351 08 |ADD EDX,DWORD PTR DS:[ECX+8] 63AF5D55 |. 837D EC 00 |CMP DWORD PTR SS:[EBP-14],0 63AF5D59 |. 8956 08 |MOV DWORD PTR DS:[ESI+8],EDX 63AF5D5C |. 0FB749 0E |MOVZX ECX,WORD PTR DS:[ECX+E] 63AF5D60 |. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX 63AF5D64 |. 75 0A |JNZ SHORT rvrender.63AF5D70 63AF5D66 |. 81E1 FDFF0000 |AND ECX,0FFFD 63AF5D6C |. 66:894E 0E |MOV WORD PTR DS:[ESI+E],CX 63AF5D70 |> C746 14 00000000 |MOV DWORD PTR DS:[ESI+14],0 63AF5D77 |. C706 00000000 |MOV DWORD PTR DS:[ESI],0 63AF5D7D |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4] 63AF5D80 |. 51 |PUSH ECX ; 32bit at offset 0x7801 63AF5D81 |. 57 |PUSH EDI ; our data 63AF5D82 |. 50 |PUSH EAX ; heap buffer having the size got at 63AF5C8F 63AF5D83 |. E8 F8160000 |CALL ; memcpy 63AF5D88 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] 63AF5D8B |. 83C4 0C |ADD ESP,0C 63AF5D8E |. 8916 |MOV DWORD PTR DS:[ESI],EDX 63AF5D90 |> 8B4D E4 |MOV ECX,DWORD PTR SS:[EBP-1C] 63AF5D93 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] 63AF5D96 |. 8D140B |LEA EDX,DWORD PTR DS:[EBX+ECX] 63AF5D99 |. 8B5D F0 |MOV EBX,DWORD PTR SS:[EBP-10] 63AF5D9C |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8] 63AF5D9F |. 03D0 |ADD EDX,EAX 63AF5DA1 |. 2BDA |SUB EBX,EDX 63AF5DA3 |. 56 |PUSH ESI 63AF5DA4 |. 03F8 |ADD EDI,EAX 63AF5DA6 |. 895D F0 |MOV DWORD PTR SS:[EBP-10],EBX 63AF5DA9 |. E8 D2FCFFFF |CALL rvrender.63AF5A80 63AF5DAE |. 56 |PUSH ESI 63AF5DAF |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX 63AF5DB2 |. E8 53120000 |CALL 63AF5DB7 |. 83C4 04 |ADD ESP,4 63AF5DBA |. C745 EC 00000000 |MOV DWORD PTR SS:[EBP-14],0 63AF5DC1 |. 85DB |TEST EBX,EBX 63AF5DC3 |.^0F85 E7FEFFFF \JNZ rvrender.63AF5CB0 63AF5DC9 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 63AF5DCC |. 5B POP EBX 63AF5DCD |. 5F POP EDI 63AF5DCE |. 5E POP ESI 63AF5DCF |. 8BE5 MOV ESP,EBP 63AF5DD1 |. 5D POP EBP 63AF5DD2 |. C2 0400 RETN 4 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/real_5.zip the amount of data to copy is the 32bit big endian value located at offset 0x7801 of real_5.ivr. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################