Posted on Leave a comment

GhostRAT Client Buffer Overflow Exploit

Hello aspiring hackers. Welcome back. Previously we have seen how to exploit vulnerabilities in C&C servers of some popular malware like Darkcomet and PoisonIvy RATs. Today we will see how to exploit a vulnerability in another popular RAT named GhostRAT and hack a system.

Gh0st RAT is a remote access trojan designed for the Windows platform which was used by operators of GhostNet to hack into some of the most sensitive computer networks. It is actually a cyber spying computer program. Every RAT has a command & control server also called controller.

This module exploits a buffer overflow vulnerability in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability allows a hacker to execute remote code on the target machine.

Its highly unlikely that you will find a system with Gh0stRAT command and control server installed during a pentest, but we can’t say anything. So imagine a scenario where I am port scanning a network for systems with port 80 open and find this machine.

Then I perform a verbose scan on this machine to know what exactly is running on port 80 and I get this.

In the ensuing research I find out that this is a GhostRAT Command and Control Server and there is a Metasploit module for this RAT. I am not yet sure if my target is running the vulnerable version of this RAT. So I fire up Metasploit and search for the module as shown below.

I load the exploit and check its options as shown below.

I set the target IP and use the “check” command to see if our target is vulnerable to this exploit. The target appears to be vulnerable. I execute the exploit using the “run” command and voila, I get a meterpreter session successfully as shown below.

I check the privileges and system information using “getuid” and “sysinfo” commands respectively.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.