cbcvebase.
CVE-2010-3747
published 2010-10-19

CVE-2010-3747: An ActiveX control in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, and RealPlayer Enterprise 2.1.2 does not properly initialize…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.35%
98.2th percentile
An ActiveX control in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, and RealPlayer Enterprise 2.1.2 does not properly initialize an unspecified object component during parsing of a CDDA URI, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer dereference and application crash) via a long URI.

Affected

17 ranges
VendorProductVersion rangeFixed in
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp
realnetworksrealplayer_sp

Detection & IOCsextracted from sources · hover to see the quote

commandcdda://
other0x21212121
  • Detect abnormally long CDDA URIs passed to the RealPlayer ActiveX control; the exploit constructs a URI of the form 'cdda://' followed by 750 repetitions of a 4-byte return address (3000+ bytes total).
  • The exploit delivers a heap-spray via JavaScript using unescape() with NOP sleds and shellcode, then calls DoPlay on the RealPlayer ActiveX object with the malicious CDDA URI — monitor for ActiveX DoPlay invocations with oversized cdda:// arguments in browser traffic.
  • The Metasploit module serves the exploit as Content-Type: text/html; network signatures should look for HTML responses containing both a cdda:// URI and JavaScript heap-spray patterns (unescape + array allocation loop).
  • The uninitialized pointer dereference is triggered via the instruction 'call [esi+45b]'; memory forensics or crash dumps showing EIP control at this call site indicate successful exploitation.
  • ·The Metasploit module randomizes all JavaScript variable names and the ActiveX object ID on each request, making static string-based signatures unreliable for those identifiers.
  • ·The return address used in the ret-slide is 0x21212121 for both listed targets ('Universal' targeting); this value is the same for RealPlayer SP 1.0–1.1.4 and RealPlayer 11.0–11.1, suggesting heap-spray rather than a precise ROP gadget — detections based on this specific address pattern are valid for the Metasploit implementation but custom exploits may differ.
  • ·Payload bad characters are limited to null bytes only ('\x00'), meaning most shellcode encoders will produce valid payloads; do not rely on null-byte filtering as a mitigation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.