CVE-2008-5664
published 2008-12-19CVE-2008-5664: Stack-based buffer overflow in Realtek Media Player (aka Realtek Sound Manager, RtlRack, or rtlrack.exe) 1.15.0.0 allows remote attackers to execute arbitrary…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.23%
98.3th percentile
Stack-based buffer overflow in Realtek Media Player (aka Realtek Sound Manager, RtlRack, or rtlrack.exe) 1.15.0.0 allows remote attackers to execute arbitrary code via a crafted playlist (PLA) file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realtek | realtek_media_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
EIP = \xEB\xBA\x3F\x7E (call ESP from user32.dll)
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30...
- →Malicious payload is delivered via a crafted .PLA (playlist) file; monitor for rtlrack.exe opening PLA files from untrusted/remote sources. ↗
- →Exploit buffer uses 220 bytes of 0x41 ('A') padding before EIP overwrite; look for anomalously large, repetitive-byte PLA file content. ↗
- →EIP overwrite uses a 'call ESP' gadget from user32.dll at address 0x7E3FBAE8; presence of this return address in crash dumps or exploit traffic is a strong indicator. ↗
- →Metasploit module uses rand_text_alpha_upper(200) as the overflow buffer and targets msacm32.drv RET 0x72d12899; network delivery via HTTP with Content-Type text/plain should be monitored. ↗
- →Payload space is 550 bytes with null byte as only bad character; shellcode immediately follows NOP sled of 12 bytes after EIP overwrite. ↗
- →Vulnerable application version is RtlRack A4.06 / rtlrack.exe 1.15.0.0; presence of this binary version on a host indicates an unpatched system. ↗
- ·The PoC EIP gadget (0x7E3FBAE8 / call ESP in user32.dll) and the Metasploit RET address (0x72d12899 in msacm32.drv) are version- and OS-specific; they apply only to Windows XP Pro with the exact DLL versions referenced. ↗
- ·The standalone PoC was tested only on Windows XP Pro SP3 Italian; reliability on other SP levels or locales is not confirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Realtek Media Player Playlist - Remote Buffer Overflow (Metasploit)
exploitdb·2010-11-24
CVE-2008-5664 Realtek Media Player Playlist - Remote Buffer Overflow (Metasploit)
Realtek Media Player Playlist - Remote Buffer Overflow (Metasploit)
---
##
# $Id: realtek_playlist.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Realtek Media Player Playlist Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.
When a Realtek Media Player client opens a specially crafted playlist, an
attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 11127 $',
Exploit-DB
Realtek Sound Manager (rtlrack.exe 1.15.0.0) - Playlist Buffer Overflow
exploitdb·2008-12-16
CVE-2008-5664 Realtek Sound Manager (rtlrack.exe 1.15.0.0) - Playlist Buffer Overflow
Realtek Sound Manager (rtlrack.exe 1.15.0.0) - Playlist Buffer Overflow
---
#usage: exploit.py
print "--------------------------------------------------------------------------"
print " Realtek Sound Manager (rtlrack.exe v. 1.15.0.0) PlayList Buffer Overflow\n"
print " url: http://www.realtek.com.tw/\n"
print " download: ftp://152.104.238.19/pc/audio/AP_A406.exe"
print " ftp://202.65.194.212/pc/audio/AP_A406.exe"
print " ftp://66.104.77.130/pc/audio/AP_A406.exe\n"
print " author: shinnai"
print " mail: shinnai[at]autistici[dot]org"
print " site: http://www.shinnai.net\n"
print " Tested on: Windows XP Pro SP3 Ita\n"
print " Greetings to:"
print " str0ke for being a friend as well as a great man\n"
print " In memory of rgod"
print "---------------------------------------------------------
Metasploit
Realtek Media Player Playlist Buffer Overflow
metasploit
Realtek Media Player Playlist Buffer Overflow
Realtek Media Player Playlist Buffer Overflow
This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06. When a Realtek Media Player client opens a specially crafted playlist, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/50715http://secunia.com/advisories/33183http://securityreason.com/securityalert/4783http://www.securityfocus.com/bid/32860http://www.shinnai.net/xplits/TXT_n7dMz2jBQsDJFtplslYw.htmlhttp://www.vupen.com/english/advisories/2008/3446https://exchange.xforce.ibmcloud.com/vulnerabilities/47380https://www.exploit-db.com/exploits/7492http://osvdb.org/50715http://secunia.com/advisories/33183http://securityreason.com/securityalert/4783http://www.securityfocus.com/bid/32860http://www.shinnai.net/xplits/TXT_n7dMz2jBQsDJFtplslYw.htmlhttp://www.vupen.com/english/advisories/2008/3446https://exchange.xforce.ibmcloud.com/vulnerabilities/47380https://www.exploit-db.com/exploits/7492
2008-12-19
Published