Tested on: Win7 / Win10 x64
Date: October 20th 2016
Vendor homepage: http://www.real.com
Software link: http://realplayer-download.real.com/free/windows/installer/stubinst/stub/rt1/T10EUDRP/RealTimes-RealPlayer.exe
File version (both realplay.exe and qcpfformat.dll): 18.1.5.705
Exploit author: Alwin Peppels
Found with: Peach Fuzzer
Context:
eax=00000002 ebx=00000000 ecx=0d4cb9a0 edx=00000000 esi=00000000 edi=046abd0c
eip=534013dc esp=00d7e254 ebp=00d7e254 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
qcpfformat+0x13dc:
534013dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=??
Call stack:
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00d7e254 53401e92 00000000 00000000 0d4cb9a0 qcpfformat+0x13dc
01 00d7e2a4 53403342 046abd0c 80004005 00000000 qcpfformat+0x1e92
02 00d7e2d8 53402d37 1d26bbf0 74617276 534018a9 qcpfformat!RMACreateInstance+0xc62
03 00d7e308 534030cb 046abd0c 00000000 74617276 qcpfformat!RMACreateInstance+0x657
04 00d7e328 533e20f0 1ee51040 00000000 00000008 qcpfformat!RMACreateInstance+0x9eb
05 00d7e348 533e1da6 00000008 00d7e370 00000005 smplfsys+0x20f0
06 00d7e374 533e3582 00d7e394 00000000 00000000 smplfsys+0x1da6
07 00d7e38c 5340349f 00000000 00000008 00000000 smplfsys+0x3582
08 00d7e3b4 533e3cd9 00d7e3d0 0d4cb9a4 0d4cb9a4 qcpfformat!RMACreateInstance+0xdbf
09 00d7e3c8 53403597 00000000 00000000 00000000 smplfsys+0x3cd9
0a 00d7e444 533e283c 1d26bbf8 0d4cb9a4 0d4cb9a0 qcpfformat!RMACreateInstance+0xeb7
0b 00d7e460 53402c51 1d26bbf0 00000005 0d4cb9a0 smplfsys+0x283c
0c 00d7e488 57a8a692 1d190950 0ce86fd8 1d26bd48 qcpfformat!RMACreateInstance+0x571
0d 00d7e4f0 57a8adfd 0d49dd78 5865cb7c 00d7e528 mametadata!SetDLLAccessPath+0x18392
0e 00d7e568 585afd7c 0d4aca0c 046a2610 5865cb7c mametadata!SetDLLAccessPath+0x18afd
0f 00d7e5ac 585af1d0 1d26c088 00d7e5fc 00000000 rpcl3260!RMAShutdown+0x2584c
10 00d7e5c0 585ae90a 00000000 1d26c088 03ecd74c rpcl3260!RMAShutdown+0x24ca0
11 00d7e5d8 57c788ba 1d26c088 00d7e5fc 03ecd74c rpcl3260!RMAShutdown+0x243da
12 00d7e608 57c38009 1d26c088 00000002 1d26c088 rpmn3260!SetDLLAccessPath+0x58b1a
13 00d7e628 585bc25e 1d26c088 1d26c088 00000000 rpmn3260!SetDLLAccessPath+0x18269
Disassembly:
qcpfformat+0x13d0:
534013d0 55 push ebp
534013d1 8bec mov ebp,esp
534013d3 83794000 cmp dword ptr [ecx+40h],0
534013d7 8b5508 mov edx,dword ptr [ebp+8]
534013da 7422 je qcpfformat+0x13fe (534013fe)
534013dc 0fb64203 movzx eax,byte ptr [edx+3]
534013e0 0fb64a02 movzx ecx,byte ptr [edx+2]
534013e4 c1e008 shl eax,8
The edx register is being zeroed out by the move from ebp+8 at +13d7, causing the memory read at instruction 13dc to point to 0x00000003
In the analysis below the PoC files place in memory starts at 0b880012
Here the first VRAT tag (hex 76 72 61 74) is read in correctly the first time from 0b881044. As can be seen in the instructions above that, on the first iteration EBP is pointing at the tags but is quickly set to an address outside the file.
Breakpoint 1 hit
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d0 esp=00bce58c ebp=0b881040 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d0:
54cd13d0 55 push ebp
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d1 esp=00bce588 ebp=0b881040 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d1:
54cd13d1 8bec mov ebp,esp
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d3 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d3:
54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13d7:
54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce590=0b881044
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13da esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13da:
54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0]
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13dc esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13dc:
54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:0b881047=74
0:000> t
eax=00000074 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e0:
54cd13e0 0fb64a02 movzx ecx,byte ptr [edx+2] ds:002b:0b881046=61
0:000> t
eax=00000074 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e4 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e4:
54cd13e4 c1e008 shl eax,8
0:000> t
eax=00007400 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13e7:
54cd13e7 0bc1 or eax,ecx
0:000> t
eax=00007461 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e9 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e9:
54cd13e9 0fb64a01 movzx ecx,byte ptr [edx+1] ds:002b:0b881045=72
0:000> t
eax=00007461 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13ed esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13ed:
54cd13ed c1e008 shl eax,8
0:000> t
eax=00746100 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f0:
54cd13f0 0bc1 or eax,ecx
0:000> t
eax=00746172 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f2 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f2:
54cd13f2 0fb60a movzx ecx,byte ptr [edx] ds:002b:0b881044=76
0:000> t
eax=00746172 ebx=00bce5e8 ecx=00000076 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f5 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f5:
54cd13f5 c1e008 shl eax,8
So now both ESP and EBP are pointing outside the source file, causing the next iteration to read NULL into EDX, setting up the access violation:
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d0 esp=00bce4d0 ebp=00bce51c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d0:
54cd13d0 55 push ebp
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d1 esp=00bce4cc ebp=00bce51c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d1:
54cd13d1 8bec mov ebp,esp
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d3 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d3:
54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d7 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13d7:
54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce4d4=00000000
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
eip=54cd13da esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13da:
54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0]
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
eip=54cd13dc esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13dc:
54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=??
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40617.zip