CVE-2012-5691
published 2012-12-19CVE-2012-5691: Buffer overflow in RealNetworks RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
52.70%
98.8th percentile
Buffer overflow in RealNetworks RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a crafted RealMedia file.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realnetworks | realplayer | <= 16.0.0 | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
| realnetworks | realplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious RealMedia (.rm) files exploiting this vulnerability contain an [InternetShortcut] section with a URL= property padded to ~2312 bytes (double-click vector) or ~2964 bytes (drag-and-drop vector) followed by an SEH overwrite, triggering a stack-based buffer overflow in RealPlayer's GetPrivateProfileString handling. ↗
- →The SEH overwrite uses a pop/pop/ret gadget at 0x63f2b4b5 inside rpap3260.dll. Presence of this return address in an exception handler chain during RealPlayer execution is a strong exploit indicator. ↗
- →Exploit payload bad characters are \x00, \x0a, \x0d — shellcode in malicious .rm files will not contain null bytes, line feeds, or carriage returns. ↗
- →The crafted .rm file must be delivered and opened via drag-and-drop or double-click; it will not trigger via browser plugin or command-line invocation in the same way. Monitor for RealPlayer (realplay.exe) spawning child processes after opening .rm files from untrusted sources. ↗
- ·The Metasploit module targets only Windows XP SP3 with RealPlayer 15.0.5.109; the hardcoded ROP gadget address (0x63f2b4b5 in rpap3260.dll) is version-specific and will not work reliably against other OS/RealPlayer combinations without retargeting. ↗
- ·The ExitFunction is set to 'process', meaning successful exploitation will terminate the RealPlayer process after payload execution — post-exploitation persistence via this vector alone is not maintained. ↗
- ·The vulnerability affects RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 through 1.1.5; versions at or above 16.0.0.282 are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RealPlayer - '.RealMedia' File Handling Buffer Overflow (Metasploit)
exploitdb·2012-12-27
CVE-2012-5691 RealPlayer - '.RealMedia' File Handling Buffer Overflow (Metasploit)
RealPlayer - '.RealMedia' File Handling Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'RealPlayer RealMedia File Handling Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow on RealPlayer MSF_LICENSE,
'Author' =>
[
'suto ' # Vulnerability discovery, metasploit module
],
'References' =>
[
[ 'CVE', '2012-5691' ],
[ 'OSVDB', '88486' ],
[ 'BID', '56956' ],
[ 'URL', 'http://service.real.com/realplayer/security/12142012_player/en/' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'pr
Metasploit
RealPlayer RealMedia File Handling Buffer Overflow
metasploit
RealPlayer RealMedia File Handling Buffer Overflow
RealPlayer RealMedia File Handling Buffer Overflow
This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the GetPrivateProfileString function to retrieve the URL property from an InternetShortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods. It has been tested successfully on Windows XP SP3 with RealPlayer 15.0.5.109.
No writeups or analysis indexed.
2012-12-19
Published