######################################## ###############################
Luigi Auriemma
Application: RealPlayer
Http://www.real.com
Versions: <= 14.0.1.633
Platforms: Windows, Macintosh OSX, Linux, Symbian, and Palm
Bug: heap overflow
Exploitation: remote
Date: 21 Mar 2011 (found 17 Feb 2011)
Author: Luigi Auriemma
E-mail: aluigi@autistici.org
Web: aluigi.org
######################################## ###############################
1) Introduction
2) Bug
3) The Code
4) Fix
######################################## ###############################
====================
1) Introduction
====================
RealPlayer is an uugly media player developed by RealNetwork and used
Mainly for its browsers plugin supporting the proprietary file formats
Of its developer.
######################################## ###############################
======
2) Bug
======
Classical heap overflow during the handling of the IVR files caused
The allocation of a certain amount of data (frame size) decided by
Attacker and the copying of another arbitrary amount on the same
Buffer.
From rvrender. dll (base address 63AE0000 ):
63AF5C70/$55 PUSH EBP
63AF5C71 |. 8BEC mov ebp, ESP
63AF5C73 |. 83EC 20 sub esp, 20
63AF5C76 |. 8B55 08 mov edx, dword ptr ss: [EBP + 8]
63AF5C79 |. 56 PUSH ESI
63AF5C7A |. 57 PUSH EDI
63AF5C7B |. 8B7A 04 mov edi, dword ptr ds: [EDX + 4]
63AF5C7E |. 8A07 mov al, byte ptr ds: [EDI]; byte at offset 0x7800 of the PoC
63AF5C80 |. 24 E0 and al, 0E0
63AF5C82 |. 33F6 xor esi, ESI
63AF5C84 |. 894D F8 mov dword ptr ss: [EBP-8], ECX
63AF5C87 |. 3C E0 cmp al, 0E0; (byte & 0xe0) = 0xe0
63AF5C89 |. 0F85 46010000 JNZ rvrender.63AF5DD5
63AF5C8F |. 8B0A mov ecx, dword ptr ds: [EDX]; 32bit value at offset 0x77f8 (allocation)
63AF5C91 |. 47 INC EDI
63AF5C92 |. 83E9 01 sub ecx, 1
63AF5C95 |. 8975 fc mov dword ptr ss: [EBP-4], ESI
63AF5C98 |. 8975 E8 mov dword ptr ss: [EBP-18], ESI
63AF5C9B |. C745 EC 01000000 mov dword ptr ss: [EBP-14], 1
63af5ca |. 894D F0 mov dword ptr ss: [EBP-10], ECX
63AF5CA5 |. 0F84 38010000 JE rvrender.63AF5DE3
63AF5CAB |. 53 PUSH EBX
63AF5CAC |. 8D6424 00 lea esp, dword ptr ss: [ESP]
63AF5CB0 |> 57/PUSH EDI
63AF5CB1 |. 8D4D FC | lea ecx, dword ptr ss: [EBP-4]
63AF5CB4 |. 51 | PUSH ECX
63AF5CB5 |. 8D55 E8 | lea edx, dword ptr ss: [EBP-18]
63AF5CB8 |. 52 | PUSH EDX
63AF5CB9 |. e892010000 | CALL rvrender.63AF5E50
63AF5CBE |. 03F8 | add edi, EAX
63AF5CC0 |. 8945 E4 | mov dword ptr ss: [EBP-1C], EAX
63AF5CC3 |. 66: 0FB607 | movzx ax, byte ptr ds: [EDI]
63AF5CC7 |. 0FB7C8 | movzx ecx, AX
63AF5CCA |. 83C4 0C | add esp, 0C
63AF5CCD |. 84C9 | test cl, CL
63AF5CCF |. 79 0D | jns short rvrender.63AF5CDE
63AF5CD1 |. 83E1 7F | and ecx, 7F
63AF5CD4 |. 894D F4 | mov dword ptr ss: [EBP-C], ECX
63AF5CD7 |. B8 01000000 | mov eax, 1
63AF5CDC |. EB 1E | jmp short rvrender.63AF5CFC
63AF5CDE |> 66: 0FB64F 01 | movzx cx, byte ptr ds: [EDI + 1]
63af5fe3 |. C1E0 08 | shl eax, 8
63AF5CE6 |. 66: 0BC8 | or cx, AX
63AF5CE9 |. BA FF7F0000 | mov edx, 7FFF
63AF5CEE |. 66: 23CA | and cx, DX
63AF5CF1 |. 0FB7C1 &