cbcvebase.
CVE-2012-5691
published 2012-12-19

CVE-2012-5691: Buffer overflow in RealNetworks RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
52.70%
98.8th percentile
Buffer overflow in RealNetworks RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a crafted RealMedia file.

Affected

44 ranges· showing 25
VendorProductVersion rangeFixed in
realnetworksrealplayer<= 16.0.0
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.rm
registry[InternetShortcut]\nURL=
other0x63f2b4b5
  • Malicious RealMedia (.rm) files exploiting this vulnerability contain an [InternetShortcut] section with a URL= property padded to ~2312 bytes (double-click vector) or ~2964 bytes (drag-and-drop vector) followed by an SEH overwrite, triggering a stack-based buffer overflow in RealPlayer's GetPrivateProfileString handling.
  • The SEH overwrite uses a pop/pop/ret gadget at 0x63f2b4b5 inside rpap3260.dll. Presence of this return address in an exception handler chain during RealPlayer execution is a strong exploit indicator.
  • Exploit payload bad characters are \x00, \x0a, \x0d — shellcode in malicious .rm files will not contain null bytes, line feeds, or carriage returns.
  • The crafted .rm file must be delivered and opened via drag-and-drop or double-click; it will not trigger via browser plugin or command-line invocation in the same way. Monitor for RealPlayer (realplay.exe) spawning child processes after opening .rm files from untrusted sources.
  • ·The Metasploit module targets only Windows XP SP3 with RealPlayer 15.0.5.109; the hardcoded ROP gadget address (0x63f2b4b5 in rpap3260.dll) is version-specific and will not work reliably against other OS/RealPlayer combinations without retargeting.
  • ·The ExitFunction is set to 'process', meaning successful exploitation will terminate the RealPlayer process after payload execution — post-exploitation persistence via this vector alone is not maintained.
  • ·The vulnerability affects RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 through 1.1.5; versions at or above 16.0.0.282 are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.