cbcvebase.
CVE-2013-7260
published 2014-01-03

CVE-2013-7260: Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allow remote attackers to…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.88%
99.2th percentile
Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allow remote attackers to execute arbitrary code via a long (1) version number or (2) encoding declaration in the XML declaration of an RMP file, a different issue than CVE-2013-6877.

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
realnetworksrealplayer<= 17.0.4.60
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer
realnetworksrealplayer

Detection & IOCsextracted from sources · hover to see the quote

filenamesploit.rmp
bytes
\xeb\x06\x90\x90 (nSEH: JMP 6 bytes short)
bytes
0x5acceecd — ADD ESP,428 # RETN 10 [mswmdm.dll] (SEH overwrite)
bytes
ROP chain anchored at 0x77c1c552 (RETN ROP NOP, msvcrt.dll)
bytes
Shellcode bytes: \xb8\x2f\x9e\xa9\x6f\xdb\xdc\xd9\x74\x24\xf4\x5a... (windows/exec CMD=calc.exe, 395 bytes)
  • Trigger file is a specially crafted .RMP file containing an XML declaration with an oversized version or encoding attribute; look for .RMP files with XML declarations exceeding normal length bounds.
  • Exploit targets RealPlayer versions 16.0.3.51 and 16.0.2.32 on Windows; presence of these versions combined with .RMP file processing should be treated as high-risk.
  • Exploit uses a DEP bypass via ROP chain built entirely from msvcrt.dll gadgets, culminating in a VirtualProtect() call; monitor for RealPlayer spawning child processes or calling VirtualProtect on stack regions.
  • SEH-based exploitation path: two SEH overwrites are embedded in the payload (one for click-open at offset 1858+44, one for menu-open at offset 11052+44); detect structured exception handler chain corruption in RealPlayer process.
  • The overflow is triggered by the XML version or encoding declaration in an RMP file; YARA/AV rules should flag .RMP files containing an XML declaration (<?xml) with a version or encoding attribute value longer than ~44 bytes.
  • ·ROP gadget addresses (msvcrt.dll, mswmdm.dll) are hardcoded for specific Windows XP SP2/SP3 module base addresses and will not be reliable on other OS versions or with ASLR enabled.
  • ·The vulnerability affects RealPlayer before 17.0.4.61 on Windows and Mac RealPlayer before 12.0.1.1738; the public exploit specifically targets 16.0.3.51 and 16.0.2.32 and may require adaptation for other in-range versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.