#Updates realplayer code
So the return instruction 641930CA will jump to 0012FDE4 (the stack) where our calculator shell code is located. The stack now consists of malicious code, if you replace the shell code with a malicious one.Īt this time, the state of ESP and the stack is: The pointer to exceptional handler is overwritten with shell code (calculator shell code).
An exception is caused and application jumps to the SEH chain. This large input data to ‘version’ attribute leads to stack based buffer overflow and so a carefully crafted malicious value can result in execution of any arbitrary code.īelow is the figure showing result of opening the crafted RMP file in Immunity debugger. If malicious data is placed in the ‘version’ or ‘encoding’ attribute inside the XML declaration of the RMP file, it can result in a crash or execution of arbitrary code.īelow is the view of the crafted RMP file in hex-editor having a malicious value in the ‘version’ attribute. The vulnerability is because of the way the ‘version’ and ‘encoding’ attributes in the XML declaration of an RMP (RIFF MP3 Audio File) file are handled. Affected versions of RealPlayer are before 17.0.4.61 on Windows systems. This flaw allows attackers to execute arbitrary code and take complete control of the system remotely. RealPlayer is vulnerable to multiple stack-based buffer overflow vulnerabilities ( CVE-2013-7260).
0 kommentar(er)
